
Ransomware as a Service - hmhrex
https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/
======
ikeboy
>Communications with the C2 server are performed via HTTPS:
kdvm5fd6tn6jsbwh[.]onion[.]to (185[.]100[.]85[.]150) located in Romania.

That's just a tor tunnel, IP and location doesn't matter.

~~~
colonelxc
They also posted a bunch of hashes for a file which was customized for them,
and then remarked that virustotal hadn't seen it.

Though it does make me think that it would be a good trick to offer this
'service', but then keep all the proceeds (everyone gets the same ransomware
download). Maybe less profitable on the long term though.

~~~
slig
> They also posted a bunch of hashes for a file which was customized for them,
> and then remarked that virustotal hadn't seen it.

Surely antivirus are not just trying to match the SHA1 of executables with
SHA1 of known virus/malware, otherwise it would be trivial to bypass them.

~~~
csteegz
No, AV has capabilities much more sophisticated then that, however from what I
understand, within the malware analysis community specific samples are
generally identified with their hash. In addition, if the hash of a file is
known-bad, you can skip all the binary pattern matching and heuristics and
stuff.

------
johnnycarcin
> "Based on the strings present in the PE file, it has been written in Go"

I find this kind of interesting. I've seen reports on other malware/virus
stuff written in Go recently. I wonder if this is because the ability to cross
compile with Go is pretty painless? Or is it because the language is fairly
approachable but still allows you to dig a bit "deeper" if you need to?

~~~
nothrabannosir
Maybe it’s a social reason and not a technical one… like, maybe Go is more
popular in… some… country… and maybe that country happens to be over
represented in… I mean, obviously not. Of course.

But maybe…

~~~
sincerely
This sort of comment is pretty frustrating for people who don't already know
what you're talking about. What are you trying to say?

~~~
dmm
[https://trends.google.com/trends/explore?q=golang#GEO_MAP](https://trends.google.com/trends/explore?q=golang#GEO_MAP)

~~~
johnnycarcin
That is very interesting, thanks for providing the link.

~~~
Recursing
Keep in mind that you get the same results for python, javascript, Java,
Kotlin and even lisp

~~~
desdiv
Yep, you're right:

[https://trends.google.com/trends/explore?q=python#GEO_MAP](https://trends.google.com/trends/explore?q=python#GEO_MAP)

[https://trends.google.com/trends/explore?q=java#GEO_MAP](https://trends.google.com/trends/explore?q=java#GEO_MAP)

[https://trends.google.com/trends/explore?q=javascript#GEO_MA...](https://trends.google.com/trends/explore?q=javascript#GEO_MAP)

[https://trends.google.com/trends/explore?q=Kotlin#GEO_MAP](https://trends.google.com/trends/explore?q=Kotlin#GEO_MAP)

[https://trends.google.com/trends/explore?q=lisp#GEO_MAP](https://trends.google.com/trends/explore?q=lisp#GEO_MAP)

My guess is that:

1\. China blocks Google

2\. Technical users in China use VPN to circumvent said block, while non-
technical users switch to something else

3\. Technical users search for programming language terms a lot

4\. Thus the normalized ratio of (programming language search queries) /
(total search queries) is a lot higher in China compared to other countries
where Google isn't blocked

------
karrotwaltz
> The business model behind the service is simple: the bad guys keep 10% of
> the ransom.

Creating a ransomware is indeed not a very nice thing to do, but IMO the ones
that deserve the most to be called "bad guys" are the ones that actually
spread the binary (so, the ones that keep the other 90%)

~~~
philipov
They're all bad guys, brent.

~~~
ghostbrainalpha
Nooooooo........

We just like the marching, and the boots, and the hats.

------
blauditore
I find it somewhat ironic they include a captcha to protect against malicious
users.

~~~
nercht12
When you're evil, the first thing you lose is trust in everyone else. After
all, if you can stab in the back, what stops others from stabbing you?

------
JumpCrisscross
I'm waiting for something like this to take the form of an Ethereum smart
contract.

~~~
hellbanner
Yes. Automated trading is going to bring about many terrifying things,
unfortunately.

------
btx
Interestingly it does not seem to be a new concept:
[https://www.reddit.com/r/netsec/comments/37ko5v/introducing_...](https://www.reddit.com/r/netsec/comments/37ko5v/introducing_raas_ransomware_as_a_service/)
[https://securingtomorrow.mcafee.com/mcafee-labs/meet-tox-
ran...](https://securingtomorrow.mcafee.com/mcafee-labs/meet-tox-ransomware-
for-the-rest-of-us)

They used to take 20% 'commission'.

