Giant ransomware bundle threatens to make malware attacks easier for crooks

Dark web vendor offers attackers a wide variety of options for targeting organisations with ransomware, warn researchers.
Written by Danny Palmer, Senior Writer

Some of the most potent forms of ransomware of 2018 are being offered for sale in a cut-price bundle deal on the dark web that also contains one of the most dangerous forms of file-encrypting malware to terrorise organisations this year.

SamSam is part of the 23 ransomware bundle -- significant because previously it's only been deployed by a highly specialised group.

Other well-known forms of ransomware available in the $750 '2018 ransomware pack' include Magniber, Satan, CryBrazil, XiaoBa, and more. The pack has been uncovered by researchers at cyber security firm Sixgill who describe it as an "extraordinarily rare finding". The package is a grim reminder of just how easy it is for crooks to get hold of state-of-the-art malware to start their campaigns against businesses and consumers.

"This is the first time I've ever seen an underground vendor who sells an attack kit of ransomware which offers several different popular ransomware variants," Gilad Israeli, cyber intelligence analyst at Sixgill told ZDNet.

In addition to the ransomware, the bundle also contains tutorials and instructions on how to deploy attacks -- in some cases, with additional details on how to exploit vulnerabilities, including various CVEs and EternalBlue, to increase the chance of a successful attack.

Fortunately, that's not to say any user could pick up the pack and get started with 23 different types of ransomware -- the operator would need to have some experience with ransomware to take advantage of what's on offer.

"It's not for script-kiddies, but more advanced hackers who see the value in an attack using several major ransomware variants of 2018," said Israeli.

A wide range of ransomware is offered in the bundle, with few links between the different variants, some of which have previously been solely distributed by single groups. It indicates that if the contents of the pack is truly legitimate, the seller is someone who has connections across a wide variety of forums and groups in the underground.

"This is a very surprising finding. This and some of the others are exclusive variants which can't easily be accessed. It could be that a very talented reseller has the right connections to have these exclusive variants," Israeli explained.

SEE: Ransomware: An executive guide to one of the biggest menaces on the web

At $750, the cost of the pack makes it more expensive than kits for many forms of individual commodity malware. But it means that if one of the ransomware variants doesn't work -- because it can't infect a system or there's the option of decrypting it for free -- the attacker has a variety of options they can use in efforts to extort payments from the malware.

"If the attacker finds they can't use one attack because an exploit won't work because of a patched vulnerability, they can try another kind of ransomware which requires other vulnerabilities," said Israeli. "The fact they can choose from a variety of different ransomware allows them to be a much bigger threat to organisations they might target."

However, the inclusion of SamSam comes as a surprise, as its thought that this family of ransomware is the unique tool of one particular -- as yet unidentified -- cyber crime gang. But the dark web seller appears to have access to it.

"In some cases, we see scammers trying to sell something they don't really have -- and they get comments for that, saying they're a scammer. But in this case, this actor has good feedback on the forum and we can see that they have high popularity. This makes them seem reliable and credible," said Israeli.

However, the seller isn't going to be selling the pack indefinitely -- their forum post says they'll remove it from sale after 25 sales. There's no reason given as to why this is the case.


Editorial standards