A new kind of ransomware-as-a-service (RaaS) which offers users the chance to tailor their own code and ransom demands has been discovered in the Dark Web.
Ransomware is an escalating problem for cybersecurity researchers and the general public alike. This particular kind of malicious code has evolved beyond spying, surveillance, or browser redirection and can be far more damaging -- as many forms of ransomware encrypt your system and demand a ransom payment in return for restoring access.
However, it is not just singular kinds of ransomware around the wild which are at fault -- it is the emergence of ransomware-as-a-service platforms which give half-baked cyberattackers the chance to use someone else's ransomware creations in return for subscription payments.
According to a security advisory on PC Risk, once a system has been infected with Satan through phishing campaigns or malicious links, the malware encrypts files and tacks on the .stn extension before placing an HTML file on the desktop of compromised systems which instructs victims on their next steps.
The Satan HTML file contains a ransom demand claiming that the system's files are encrypted and restoring them are impossible -- which researchers say is sadly true at this stage as the malware uses RSA-2048 and AES-256 cryptography -- and so paying up is their only option if they want their files back.
The ransom note then guides victims to install the Tor browser, which is a requirement to reach web domains which are not indexed by typical search engines. Victims are then given the .onion link to Satan's payment page. There, they have to pay up in Bitcoin in return for keys to decrypt files, but the amount depends entirely on the RaaS user's specifications.
While some ransomware developers either fail to put a decryption method into their creations at all or leave the required keys in a place where researchers can rip them out and create decryption tools based off them, the Satan creators store the private keys on a remote server and no free decryption tool is available.
To use the Satan RaaS platform, users must sign up for an account with the malware's domain, hosted in the Dark Web. Users must then connect a Bitcoin wallet to their account and specify a cost for decryption. It is also possible for users to specify a time frame before the fee increases.
Cyberattackers are then able to download malicious executable files, ready to infect victim PCs.
The Satan platform contains a number of other features including fee payment records, transaction tracking, Satan version releases, and dropper creation. Users can also create "notes" related to their victims, learn about how to set up gateway proxies, and are given instructions on how to test their malware on a physical machine.
Lastly, Satan's creators warn users not to upload their malware to VirusTotal or other online scanners -- as doing so will give white-hat researchers the code sample required to update and protect Windows machines from the threat.
Users can also translate their malware into different languages.
In exchange, developers automatically gain 30 percent of revenues generated by cyberattackers using the RaaS in their campaigns.
"Now, the most important part: the bitcoin paid by the victim will be credited to your account," the Satan sign-up page says. "We will keep a 30 percent fee of the income, so, if you specified a 1 BTC ransom, you will get 0.7 BTC and we will get 0.3 BTC. The fee will become lower depending on the number of infections and payments you have."
While the threat level of the Satan malware is high as there are no free decryption services available, thankfully, recorded infection and exposure rates are low.
In August, researchers revealed that the creators of Cerber ransomware were cashing in hundreds of thousands of dollars a month after opening up the malware as a ransomware-as-a-service platform.