Click here to download the complete analysis as a PDF.

Hackers need not search the dark web for access to their very own ransomware platforms these days. Cybercriminals are continually finding new ways to promote their underground businesses and gain the attention of new customers and novice hackers. Several threat actors have recently taken to popular social media and open sources like YouTube, Vimeo, and Sellix to advertise and demonstrate their discount-priced $40 ransomware-as-a-service (RaaS) builder called ZagreuS.

Vidéo YouTube présentant le générateur de ransomware ZagreuS. (Source : Recorded Future)

The ZagreuS ransomware offers several attractive and easy-to-use features that make it accessible and manageable for low-level beginner hackers. According to the sellers, the ransomware features include:

• Asymmetric encryption. Uses a hybrid combination of AES-256 and RSA-2048 algorithms to lock files on the target machine.
• It deletes shadow copies and is claimed to encrypt files at a very high speed.
• Claims to bypass UAC.
• Built-in loader that can be customized to drop additional payloads such as RATs (remote-access trojans).
• The attacker can monitor the number of victims infected with the ransomware.
• Easy personalization. Enter your contact information and bitcoin address for fast payment.

A new user advertised the ZagreuS features on a deep web hacking forum. (Source: Recorded Future)

Selon le vendeur initial, ZagreuS est conçu pour attaquer les grands réseaux d'entreprises, de sociétés et d'hôpitaux. La vidéo de démonstration de 11 minutes publiée sur YouTube indique que le vendeur recevra une commission de 30 % pour chaque rançon collectée, tandis que les 70 % restants seront conservés par l'opérateur/l'acheteur. Le créateur de ransomware est actuellement disponible à un prix modique de 40 dollars américains, payables en cryptomonnaie sur le portefeuille des vendeurs.

Several interested buyers left comments on the sale posts on underground forums inquiring if anyone had tested the ZagreuS builder, and expressed interest in trying it out. Typically, in these instances, the low price of the builder is an indication that the seller is lacking experience or that the tool is not very valuable. Insikt Group has found that most often, the tool does not function well, can be easily decrypted, and it can be very difficult for the “affiliates” criminals to make a profit off of their victims.

A new user advertised the ZagreuS features on a deep web hacking forum. (Source: Recorded Future)

Many online platforms and social media applications are aware of these advertisements and work to have them removed. When this particular demo video was removed from the original YouTube channel, the threat actor quickly uploaded it again under a different link and pivoted to other platforms for clear web and deep web marketing, including sellix.io, RAID forums, hackforums, and Github.

Ransomware has stolen the cybercrime stage in the past year, quickly becoming one of the most damaging and prevalent forms of cyber attacks. Industries such as state and local government, healthcare, and finance have taken an especially hard hit from ransomware attacks in the past year, and it does not appear to be slowing down. There are currently over 1,800 variants of ransomware, with the top 45 variants bringing in the most ransom money.

(Source: Recorded Future)

Bien que les obstacles à l'entrée des acteurs malveillants dans le domaine des ransomwares aient jamais été aussi faibles, très peu de criminels tirent profit de ces outils RaaS simples et peu coûteux. Cependant, ceux qui ont réussi ont profité de la situation et ont augmenté le montant des rançons demandées. Certains vont même jusqu'à pratiquer une double exploitation de leurs victimes: ils exigent une rançon, puis publient les données personnelles des victimes sur des forums clandestins après qu'elles ont payé.

For more information on security intelligence to defend against ransomware threats, visit www.recordedfuture.com.