Threat Intelligence

Ransomware as a Service: 8 Known RaaS Threats

David Balaban
May 27, 2016 by
David Balaban

The rapid rise of crypto-ransomware over the past several years is undoubtedly the number one security concern that antimalware labs are yet to tackle in tandem with the law enforcement.

The use of strong cryptography to render victims' data inaccessible and hold it for ransom is the biggest hurdle in troubleshooting these instances. To top it all off, cybercriminals went even further and contrived an affiliate ransomware distribution scheme. It's called the Ransomware as a Service, or RaaS. The idea is to draw a distinct line between the crypto ransomware creators and the individuals or groups who spread the infection.

The developer writes the malicious code and provides an intuitive administrative panel for any wannabe cyber perpetrator to use. All it takes to get started on a campaign like this is go through simple registration, usually without being charged a penny. The affiliate dashboard allows some customization of the turnkey ransomware through setting the desired size of the ransom and configuring things like the Bitcoin address for payments. When using a RaaS kit, the ill-minded clients are obliged to share their revenue with the 'merchant' who will typically ask for 20% of the ransoms submitted by victims.

Effectively, this is a win-win both for the ransomware authors and the distributors. The former get a quick return on investment and needn't bother finding ways to contaminate computers, and the latter get the chance to spread a readily available file-encrypting Trojan without making any intellectual effort.

The following list reflects RaaS instances discovered since early 2015.

  • Tox

Tox was one of the first Ransomware as a Service kits. To be able to create a custom ransomware sample with Tox, an interested party simply needs to get registered on a specially crafted Tor site for free. Building a crypto malware with Tox is a three-step experience. The affiliate has to set the ransom amount, enter the text of ransom notes to be displayed to victims, and type a verification code. The service then produces an executable disguised as a 2MB .SCR file. This obfuscation technique allows the ransomware to fly under the radar of most antivirus suites. The Tox affiliate dashboard accurately monitors the number of infected PCs and total profit in real time.


As opposed to Tox, the FAKBEN ransomware kit isn't free. Those who want to try their hand at digital extortion with the notorious Cryptolocker Trojan have to pay $50 for the opening fee. The service provides an extensive range of customizable ransomware properties. The criminals on the so-called FAKBEN Team earn 10% of the ransoms, and the affiliates get the rest. The administrative panel keeps track of the quantity of infected machines and the submitted Bitcoin ransoms. The malefactors also upsell additional services such as the distribution of the ransomware loader through the use of exploit kits, where computer users get compromised via unpatched software vulnerabilities.

  • Encryptor RaaS

The creator of Encryptor RaaS uses The Onion Router anonymity network to avoid attribution. The fee to use the kit amounts to 5% of the gross revenue generated by an affiliate. The ransoms are payable in Bitcoins as usual. The ransomware distributor can set the deadline for payments and a preferred price for data decryption before and after the timeout. The customer gets a unique Bitcoin address that acts as an identifier throughout the campaign. The publisher performs payment processing, submits affiliate commissions and provides the decrypt solution. The way of spreading the offending program is up to the customer.

  • Hidden Tear

    This kit is the only one on the list that was originally intended to be benign. Devised by Utku Sen, a malware researcher from Turkey, Hidden Tear is an educational project that demonstrates how ransomware works. The author posted the open-source code on GitHub so that everyone interested could understand the anatomy of a ransomware attack. Hidden Tear uses the AES block cipher to encrypt data, has a very small loader of only 12KB, and features antivirus evasion capabilities. Cybercrime actors, unfortunately, used this kit to build real-world ransomware. More than 20 malicious spinoffs of Hidden Tear have appeared since November 2015 till the present day, including Linux.Encoder, Cryptear.B, and Trojan-Ransom.MSIL.Tear.

  • ORX Locker

To create a ZIP file with the ransomware binary using ORX Locker kit, the customer needs to sign up for the service, put in a 5-digit build ID and define the unlock price of at least $75. Having encrypted one's personal files, the Trojan stealthily downloads a Tor client in order to communicate with its Command and Control securely. An interesting trait of this RaaS is that the ransom payments are collected and processed by a third party that distributes all the shares according to prior agreement between the author and the affiliate. Most of the popular AV suites don't detect ORX because it implements advanced obfuscation of its malicious behavior.

  • Ransom32

Ransom32 stands out from the crowd because it reflects a kit for propagating the first known JavaScript ransomware. All it takes to join this underground service is enter a Bitcoin address on the authentication screen and customize the malicious software. The admin panel allows the affiliate to define the ransom size, enter the ransom warning, and optionally configure the Trojan to have a mild effect on the target system's performance during the process of encrypting files with the AES-128 algorithm. The developer takes 25% of the ransom payments. The large WinRAR installer of 22MB is on the minus side of Ransom32. However, since it's written in JavaScript it is cross-platform, so it can potentially infect Windows, Mac and Linux computers alike.

  • Janus

    This relatively new RaaS allows extortionists to build custom versions of the Petya and Mischa ransomware and fully administer the distribution campaign. Hosted on a secure Tor gateway page, Janus features a flexible payment sharing principle, where the commission depends on the weekly ransom volumes. If it's less than 5 BTC, the share will amount to 25%, increasing to 50% if the volume amounts to 5-25 BTC. The Petya ransomware requires administrative privileges to run on a targeted computer. In case it fails to gain these permissions, the kit will automatically install a simpler bundle called Mischa. This is the first known example of ransomware bundling.

  • AlphaLocker

Security experts consider AlphaLocker to be one of the most professional ransomware kits. As opposed to other RaaS instances that merely host affiliate campaigns, the individuals behind AlphaLocker literally sell a package with a unique copy of the actual ransomware, the master decryptor binary, and the admin panel – for as little as $65. The customer, therefore, gets full control of the ransomware and can host, distribute or even resell it as they please. AlphaLocker exhibits an amazing antivirus evasion capability due to code updates rolled out on a regular basis. It uses a mix of AES and RSA crypto to lock victims' data.

  • The Bottom Line

Although there have been scattershot breakthroughs in decrypting files locked by numerous ransomware strains, that's still the exception rather than the rule. Furthermore, as the RaaS model continues to thrive, there's no obstacle for unprofessional ne'er-do-wells to launch and operate these campaigns. This means that there's no guarantee that the hostage files are recoverable even if the ransom is paid. Therefore, an effective data backup strategy is critical for end users and organizations alike.

David Balaban
David Balaban