Malware creators increasingly run their business like legitimate software companies

The continuing increase in ransomware attacks is, partly, due to how easy the malware can be built and used by attackers that have limited technical skills.

Take for example the Philadelphia Ransomware-as-a-Service (RaaS) offering. Offered for sale by a group (or individual?) that calls itself The Rainmakers Labs, it is just a part of the overall arsenal of “anti-security solutions” on offer:

malware business

Philadelphia is a typical piece of crypto-ransomware and, as it’s usual with RaaS offerings, the buyer will get (almost) everything he or she needs to create a ransomware sample, set up a C&C server to communicate with victims, and manage the attacks.

For more technical information about the malware, you can check out this Sophos Labs report.

Malware sales techniques

But the most interesting thing about the group is their approach to marketing and sales.

“The Rainmakers Labs run their business the same way a legitimate software company does to sell its products and services,” the researchers explained.

“While it sells Philadelphia on marketplaces hidden on the dark web, it hosts a production-quality ‘intro’ video on YouTube, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options. A detailed Help Guide, walking customers through set-up is also available on a .com website.”

As expected, they advertise the malware on dark web forums and markets, but are also pushing it via other means. As noted by ClearSky Security earlier this year, they have been aggressively spamming potential buyers via the Jabber messaging platform.

They use brochures to explain the ransomware’s features, refer to news coverage and blog posts from security professionals as a means to show that their offerings are of good quality, and offer discounts or justify the high price ($389 for Philadelphia) by highlighting the lifetime access, constant updates and easy setup/usability of their product.

Not unexpectedly, they also ultimately suffer some of the same problems legitimate software developers are faced with.

“We have found several forum posts and websites where cybercriminals try to make money selling the pirated version of Philadelphia,” the researchers noted. “They use different approaches to achieve their goal. The easiest approach is to use the reputation of Philadelphia and sell the pirated version for a cheaper price.”

Some sellers decided to give a new name and design to the ransomware, and offer extra features and services (e.g. malware delivery).

How successful are users of such RaaS offerings?

While the total number and complete scope of ransomware campaigns powered by this particular RaaS offering is difficult to estimate, the researchers have mapped three of them after locating and accessing numerous webservers used in the campaigns.

malware business

That allowed them to see that some campaigns are not widespread nor as successful as one might expect: the overwhelming majority of victims chooses not to pay to get their files decrypted.

“For inexperienced attackers the biggest problem is to successfully reach their potential victims,” the researchers pointed out.

“However if someone would start to spread this ransomware in much larger scale, following the example of Wannacry and Petya, he could cause serious problem,” they pointed out.