This is the first of the SentinelOne threat Roundups, this is designed to be a one stop blog for the most recent and interesting developments in the cyber threat arena. This particular blog, is unsurprisingly, dedicated to developments in the ransomware malware family space.
Since exiting 2016 we are closing in on 300 different malware families, the ID-ransomware service provided by the malware hunter team has tracked over 280 families and offers a free identification service, and the numbers keep growing daily. On the Darkmarkets, there are adverts offering new strains such as Cloudsword. The Cloudsword Advert below, offers.
RSA 2048 + AES 256 double encryption
Private keys are generated on C&C server and only public keys are used on victim’s computer
Different key is generated each time it starts to encrypt. No key is stored locally on the victim’s computer
Encrypts over 200 file extensions
Deletes shadow volumes and disables firewall
File name doesn’t change during encryption. More stealth
Original file shredded after encryption
Customized ransom message
Individual Bitcoin address generated for each victim machine. Panel included to track payments
Bypasses all major anti-virus detection
Affiliation program. Make your own Ransomware-as-a-Service
End of advert.
Cloudsword has attracted a lot of attention and is currently in “vouch mode” which means it is being tested for validity, keep your eye out for Cloudsword.
Another newcomer to the ransomware space is Spora.
It has received lots of technical acclaim from various security sites, bleepingcomputer has a thorough review.
The majority of the domains are registered out of a well-known Hong Kong address, and are sitting on the ddos-guard.net infrastructure. Since the initial reviews the full restore price has gone from $79 dollars to 120$, we´ve seen $280 in one report on Spora. This may be a reflection of the bitcoin exchange rate . Or a price hike. Or possibly pricing based on the type of victim.
It also appears that SentinelOne is not alone in offering “Guarantees” in the ransomware space, The Spora crew include a letter of guarantee that your files will be returned upon a confirmed transaction from a unique bitcoin address generated from their main address. The service though, will only be available for a 30 day period determined from Moscow Time.
—–START LETTER OF GUARANTEE—–
We hereby confirm that we generated the address 1redactedaddress in order to transfer all incoming amount to account ID: 1redactedID
This service will be only available for all bitcoins received within 30 days starting from January 18, 2017, 18:10 MSK with minimum amount of 0.0001 BTC.
This letter is digitally signed by our main account: 1SporaxoosUPYPEizY46t8yquLfzyABRm
—–END LETTER OF GUARANTEE—–
We had a look around blockchain for the address 1SporaxoosUPYPEizY46t8yquLfzyABRm. The taint analysis tool on blockchain shows the amount of addresses sending bitcoins to a particular address, there were about 1300 different addresses that had sent payment to the 1SporaxoosUPYPEizY46t8yquLfzyABRm address, these appear to be in very small denominations. There were also two transfers out of the 1spora… address, with some help from Anton Ziukin we tracked the first transaction that was mistakenly sent to their signature address (the $79) we can see that the addresses bounced until finally met at
So we can estimate their profit was around 22,000 USD on this address, before finally moving the money to addresses which belong to some large Bitcoin exchange.
We googled the final exchange addresses and also found them advertised on a couple of bitcoin investment sites. doublebtc.usa-grants.org was one of them, whose tld also offers free money, you just have to apply by entering your name, address, social security number, etc.
It´s not just activity in new strains that are being promoted. Existing families are being updated. After reaching 300 licensed sales of stampado on Alphabay. The_Rainmaker, author of Philadelphia and Stampado ransomware has released a sexy new promotional video for Stampado 2, demonstrating the new and improved usability of the product. There´s a new interface, and the “give Mercy” button, prominent in version 1 looks to of disappeared.
The term Rainmaker seems a popular title on both sides of the ransomware battleground. Below, another “RAINMAKER” delivers a most excellent 61 page slideshow on the history and development of ransomware.
The DDI store is also proving popular, pushing copies or variants of jigsaw ransomware. The advert is as follows.
[DDI] Ⓞ═╦╗ Bitcoin Ransomware Ⓞ═╦╗ Earn BITCOINS with your own malware | Start earning money now!
VIP Sᴛᴏʀᴇ: Wᴀɴᴛ ᴛᴏ ɢᴇᴛ ᴀʟʟ ᴍʏ ᴘʀᴏᴅᴜᴄᴛs ᴡɪᴛʜ 50% ᴅɪsᴄᴏᴜɴᴛ? Lᴇᴀᴠᴇ ᴀ 5 sᴛᴀʀ ʀᴇᴠɪᴇᴡ ᴀɴᴅ ɢᴇᴛ ᴀᴄᴄᴇss ᴛᴏ ᴛʜᴇ VIP sᴛᴏʀᴇ!
Sold by DDI – 2091 sold since Nov 28, 2016
A step-by-step tutorial that will explain how to build your own ransomware
The BitCoinRansomware aka Jigsaw – All the source-code of the ransomware. Safe to use, you can check it. And build it by Visual Studio
Address Wizard (program) – A piece of code that makes multiple bitcoin address’s. For every receiver a new address.
Build your own bitcoin ransomware. Use your own client to spread in mass mail or a specific target. You can make thousands of Dollars on Bitcoins if you play it well.
Set your own bitcoin address
Set your own amount that needs to be payed
Locks files on the computer of the receiver. If they don’t pay, it will encrypt more files.
Make the ransomware bootable on a usb!!
End of Advert.
The distinctive ransom note of jigsaw,
with 2000 sold since November subtle variants are appearing daily, However the green font is consistent, as is, the “game theme” which together with the image is derived from the horror film, SAW.
Below is the ransom note of the jigsaw variant deemed “koolova”
This time the entertainment theme has been switched to Mr Robot, by one of the variant owners.
Another jigsaw variant was recently termed “Doxware” because it claims to exfiltrate confidential information, business communication and social media history.
Whilst we doubt this is more than just a claim, at this point in the development of jigsaw ransomware, the exfiltration of data has been seen in the recent database attacks and we know that leaking information as seen in the Sony Pictures breach and the drama surrounding the Clinton email server, has the potential to cause a great deal of harm, and therefore even greater leverage to pay the ransom, we also know that the majority of business that get infected with ransomware prefer to reinstate a backup, even though on average this takes 33 man hours it´s still better than paying the ransom.
The threat of leaking data may prove to be greater than the threat of encrypting data to many people.