Experts at BitDefender have discovered a Cryptolocker/Cryptowall Ransomware Kit offered for sale at $3,000, source code included.
Yesterday I wrote about a new Ransomware-as-a-service, the FAKBEN, surfaced from the criminal underground, requesting customers 10 percent profit cut. In the previous days I reported other cases involving ransomware, such as a malicious code that infected the UK Parliament, an off-line ransomware and a Linux.Encoder1 ransomware revealing the decryption key.
The cybercrime is looking with increasing interest to ransomware, today I want to write about the availability of the source code of Cryptolocker/Cryptowall in the underground.
According to Bitdefender, a Cryptolocker/Cryptowall Ransomware Kit is offered for sale for $3,000, including its source code.
The experts consider this offer for the Cryptolocker/Cryptowall Ransomware Kit not that expensive for the features it implements. We have seen that the return on investment for ransomware like Cryptowall could be very high.
Security researchers of the Cyber Threat Alliance have conducted an investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware.
A Pastebin post also claims that the manual and free support is included along with Cryptolocker/Cryptowall Ransomware Kit source code, of course, buyers can pay it in Bitcoin.
The sellers also offer for sale ransomware binaries, a bundle of 8 goes for $400. However, the developer is opening to various models of sales, including the affiliate program in which he would share 50/50 the revenue with potential buyers.
"This is your chance to become a partner and join or buy build individual to you and use and to generate income and to convert and monetization," reads the post. "If you are interested then contact i need a partnership and also iselling build to you."
This is one of the few times when we can take a look at how the underground market works, the types of services offered, and maybe estimate the amount of money made from selling custom-made malware.
Liviu Arsene, Security Researcher at Bitdefender, explained that buyers of Cryptolocker/Cryptowall Ransomware Kit will allegedly not only gain access to full support but paying an additional fee they fully customize their ransomware.
"Those who actually want to purchase the Cryptolocker/Cryptowall Ransomware Kit will allegedly not only gain access to full support, but can also ask for additional modules or customizations, such as preferred language interfaces for the access panel or custom deployments on VPS servers." said Arsene.
Below the information provided by the seller, including the list of features implemented in the Cryptolocker/Cryptowall Ransomware Kit. It is interesting to note that the developer claims the ability of its ransomware of communicating with Command and Control servers over Tor without losing any connections, a unique technique that will only be disclosed once contacting support.
"Information for customers:
- Price of binary: $400 (8/1 customers)
- Price of source code and manual how edit code wallet btc i give you: $3000 (1 customer)
- You keep 100% of payments
- Free recompiles and support
- Escrow accepted
- Bitcoin (BTC) only!"
- Encryption algoritm BlowFish 448 bit (stronger then AES).
- 448 bit key is generated on computer and sent to C&C. Each computer generates unique key. Key is not stored on computer and is purged from RAM.
- All C&C decryption keys are encrypted with the RSA-alg (1024 or 2048 Bit Keys). The Password used to decrypt the private key is not stored and only temporary used(conclusion: even if the server is raided or compromised the User-Passwords cannot be decrypted).
- Locker can communicate with C&C over Tor, without losing any connections (contact support for more information – we are using a different technique).
- Files in all locations (external media and network) are encrypted.
- Encrypted extensions: odt, ods, odp, odm, odc, odb, doc, docx, docm, wps, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, pptm, mdb, accdb, pst, dwg, xf, dxg, wpd, rtf, wb2, mdf, dbf, psd, pdd, pdf, eps, ai, indd, cdr, jpg, jpe, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrwref, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, c, cpp, txt, jpeg, png, gif, mp3, html, css, js, sql, mp4, flv, m3u, py, desc, con, htm, bin, wotreplay, unity3d , big, pak, rgss3a, epk , bik , slm , lbf, sav , lng ttarch2 , mpq, re4, apk, bsa , cab, ltx , forge ,asset , litemod, iwi, das , upk, bar, hkx, rofl, DayZProfile, db0, mpqge, vfs0 , mcmeta , m2, lrf , vpp_pc , ff , cfr, snx, lvl , arch00, ntl, fsh, w3x, rim ,psk , tor, vpk , iwd, kf, mlx, fpk , dazip, vtf, 001, esm , blob , dmp, layout, menu, ncf, sid, sis, ztmp, vdf, mcgame, fos, sb, itm , wmo , itm, map, wmo, sb, svg, cas, gho,iso ,rar, syncdb ,mdbackup , hkdb , hplg, hvpl, icxs, itdb, itl, mddata, sidd, sidn, bkf , qic, bkp , bc7 , bc6 ,pkpass, tax, gdb, qdf, t12,t13, ibank, sum, sie, sc2save ,d3dbsp, wmv, avi, wma, m4a, 7z, torrent, csv
- AV software cannot decrypt files (Panda Ransomware Decrypt Tool, BitDefender Decrypt, Kaspersky).
- Secure file erase (7 passes).
- Message is displayed on GUI and inside of .txt files created in all folders. This message is configured on C&C, unique by country.
- Compatible with crypters (no EOF).
- Empty recycle bin (all drives)."
Unfortunately is even simpler for wannabe cyber criminals to arrange a ransomware campaign, they don't need specific technical know-how to start developing and spreading their custom malware.