Cybercrime has piggybacked on the extremely successful SaaS model and several strains of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared in 2015.
So, how did the bad guys implement this technically?
Using this architecture they can encrypt client-side files without using much resources and stay under the radar to prevent detection. Ransom32 will target only specific file extensions and encrypt them using AES encryption but is using wildcards like .*sav* to maximise its "effectiveness". A large benefit for the malware author is that NW.js is a legitimate framework and application so it is no surprise that antivirus signature coverage is still very bad at the time of writing.
How does this Ransomware-as-a-Service work?
Any newbie cybercriminal can easily go to a darkweb TOR site, register with a Bitcoin address, configure and download their very own customised version of the executable. The developers take a 25 per cent cut of all ransom payments and then forward the rest to their criminal affiliate. You can run multiple campaigns with different Bitcoin addresses. The executable can be spread with the usual infection vectors like massive spray-and-pray phishing campaigns, targeted spear-phishing, malvertising with poisoned ads on websites compromised with Exploit Kits causing drive-by-downloads of the RaaS executable, manually hacking linux servers or brute forcing terminal servers.
What is the scary part?
Larry Abrams at bleepingcomputer put it best: "No administrative rights necessary. Runs under the security context of the user. The ransomware itself isn't a big deal at all. It must be executed, just like any other executable because that is what it is, or installed via an exploit just like all other ransomware.
He summarised with this shorthand: "Uses AES encryption. Affiliate service. No way to decrypt for free at this time. Extracts to folder in %Temp% and %AppData%\Chrome Browser. Creates startup called ChromService. Uses TOR to communicate with C2."
What to do about it
- It is still early days, at the moment there is no known way to decrypt the files for free, but if malware researchers reverse engineer the code and find a way to get your files back, we will update this post.
- Your best protection remains a solid and proven backup strategy, with regular off-site copies.
- For mitigation purposes, treat this like any other ransomware. Continue blocking executables from running from standard paths (%appdata%, %temp%, etc).
- Step your users through effective security awareness training which includes frequent simulated phishing attacks.
Stu Sjouwerman is the founder and CEO of KnowBe4