01
Mar 17

Ransomware for Dummies: Anyone Can Do It

Among today’s fastest-growing cybercrime epidemics is “ransomware,” malicious software that encrypts your computer files, photos, music and documents and then demands payment in Bitcoin to recover access to the files. A big reason for the steep increase in ransomware attacks in recent years comes from the proliferation of point-and-click tools sold in the cybercrime underground that make it stupid simple for anyone to begin extorting others for money.

Recently, I came across an extremely slick and professionally produced video advertisement promoting the features and usability of “Philadelphia,” a ransomware-as-a-service crimeware package that is sold for roughly $400 to would-be cybercriminals who dream of carving out their own ransomware empires.

This stunning advertisement does a thorough job of showcasing Philadelphia’s many features, including the ability to generate PDF reports and charts of victims “to track your malware campaigns” as well as the ability to plot victims around the world using Google Maps.

“Everything just works,” claim the proprietors of Philadelphia. “Get your lifetime copy. One payment. Free updates. No monthly fees.”

One interesting feature of this ransomware package is the ability to grant what the program’s architects call “mercy.” This refers to the desperate and heartbreaking pleas that ransomware purveyors often hear from impecunious victims whose infections have jeopardized some priceless and irreplaceable data — such as photos of long lost loved ones.

I’ll revisit the authors of this ransomware package in a future post. For now, just check out their ad. It’s fairly chilling.

Tags: ,

88 comments

  1. Wow, Brian, how did you get hold of that YouTube video? They must have just posted it. I don’t think it will last long though. Also it’s unbelievable how brazen those crooks are. I’m curious if YouTube/Google has any means to track the IP/location of whoever uploaded that malware ad? Would be nice to follow up on it to the local authorities!

  2. …..wow, just..wow…..

    • Brian Fiori (AKA The Dean)

      My thoughts, exactly. Well, at least one of them. “Holy F#$%^@ S#&*” was another.

  3. i gotta get me one of these!

  4. For some weeks now I’ve been running: CyberReasonRansomFree on my Windows 10 Pro desktop. Here is a link to their webpage:

    https://ransomfree.cybereason.com/

    Would you care to comment?

    • The product you linked appears sketchy and I wouldn’t recommand anyone to download it.

      Website runs simple wordpress instance and didn’t even bother to change much of the default content, product refuses downloads on OSX and downloads a MSI file on WIndows.

      Scan:
      https://www.virustotal.com/en/file/949e6ef1d47e60da2ed67eb185486a889abf647c93f4480c077a71e5f0a5ba0b/analysis/1488435582/

      • I was running it on two machines. On one it periodically crashed. After latest update it prevents shutdown.
        I think it needs some improvements.

      • One VirusTotal hit doesn’t make a product ‘sketchy’.

        A quick google search shows that the product has been reviewed on PCworld, Bleepingcomputer, and Lifehacker. They had mixed results but overall they end up saying it’s worth trying out.

        • Brian Fiori (AKA The Dean)

          RansomFree is not a sketchy product. It isn’t perfect, but it does a pretty good job. Also, in the past two weeks, it has updated to a new version 3 (or 4) times. So it really seems like they are on the ball and trying. After testing if for a month, or so, I have now started installing it on my clients’ PCs.

          There are few youtube videos which show the program in action. Keep in mind, these are from older iterations. I haven’t seen one test that suggests there is anything problematic with the product. It worked on most ransomware, but not on some of the more sophisticated versions. Again, that was well before the recent spree of updates.

          • Brian Fiori (AKA The Dean)

            I should add, expecting any one product to protect you from EVERY attack, is unrealistic.

      • Cybereason is a legit security company primarily selling next generation endpoint security solutions to enterprise customers. I can’t personally speak to the effectiveness of this particular product but it’s not ‘sketchy’.

      • Cybereason is a legit company with a slick product. More of an EDR solution. I wouldn’t rely on it (or anything else detection based) to stop ransomware. Cool detection and response tool tho.

    • BitDefender Anti-Ransomware appears (to me, at least) a better option, and certainly from a more trustworthy source.

  5. IRS iTunes Card (real)

    ransomware-as-a-service is also know as “R.A.A.S”

  6. Ugh. At least they haven’t made it so cheap that school kids can easily access it.

    • For an enterprising teenager, $400 is peanuts. He/She will get that on the first hit. I hope some kids don’t decide to pay for college that way. PREACH THE OFFLINE BACKUP and never click on an emailed document or link that you are not expecting.

  7. “Impecunious.” Very nice, Brian. Quality writing, as usual.

  8. Guy C. Guckenberger

    Is there a software program that effectively blocks ransomware? I would much appreciate your thoughts. I have

    • The software between the ears does a pretty good job of avoiding this.

      • Thanks for posting one of the most effective tools easily forgotten for some reason, oh ya; “curiosity killed the cat”.

    • There’s HitmanPro.Alert, which is a quite mature product but paid, as well as MalwareBytes Anti-Ransomware, which is free because it is still experimental.

      I’m not very familiar with MBAR, but I’ve tried HMP.Alert in the past. That tool tries to detect ransomware by the suspicious behaviour that comes with encrypting a lot of files for a ransom. It’s probably not 100% effective, but its a lot harder to beat for ransomware makers as, instead of just having to obfuscate the malware, they will have to change their entire file encryption routine to evade detection. That, coupled with a limited proliferation of HMP.Alert, means that it’s simply not worth it for the ransomware authors to try to beat HMP.Alert.

      • MalwareBytes released a major update today which consolidates their regular anti-malware engine with the anti-ransomware engine (and a third which I forget). Installing the new release will bring up a window stating that it will remove the other side-project executables if you already have them installed.

        • The “third” you may be thinking of is Malwarebytes Anti-Exploit. I just upgraded a couple of weeks ago.

      • Brian Fiori (AKA The Dean)

        I have used HitmanPro Alert for some time. It started causing issues on many of my client’s pcs, unfortunately. I don’t think there is any harm in trying it. though.

    • CryptoPrevent is very good.

    • Thus far the best product on the market with the best price imo is Cylance Threat Detect. I have tested many other products but thus far Cylance and Carbon Black are the best right now. Carbon Black can be expensive which is why I favor Cylance. Do your research! Test and verify results that the authors of the software tout. In the end, nothing is 100% full proof. It will take AI engines that don’t exist YET to weed this garbage out of the surface net.

  9. Guy C. Guckenberger

    Is there a software program that effectively blocks ransomware? I would much appreciate your thoughts.

    • Yeah, it’s called Linux.

      • KillDisk targets Linux specifically

        I’m struck with the thought, if it is so cheap, is it really worth it? It’s either a honeypot, not much use or the chances of being caught using ransomware make selling ransomware more viable.

    • Even better than software, is just some basic net smarts. Don’t open attachments (especially don’t enable content on word docs) or click on links in e-mails (or on links in PDFs in e-mails, see: don’t open attachments), disable or uninstall flash, and hobble or disable java. Done. If you want to be extra paranoid run your browser in a sandbox.

    • You should look into Cylance as an option if you are installing this in an Enterprise.

      We deployed it several months ago and it has proven its worth many times over (it is working in tandem with McAfee) – we di this because of several rounds of ransomware. Since then, we seem to have reduced the threat quite a bit. We have not had any reports of ransomware hits to be sure.

      It will take some tuning, but Cylance helps all along the way.

    • RegularOfflineBackups.com

  10. Wow that is crazy… Nice catch Brian!

  11. Assuming from the Portuguese that they’re Brazilian.

    • It is from Brazil, as babyblue notes below.
      Also, the new-age music was a clear give-away (as Brazilians love that esoteric stuff).

  12. I like how he tries to hide his country, but when he zooms out you can see it say brazil…..

  13. Anyone check out the other videos that that You Tube account had uploaded?

    This one jumped out at me: https://www.youtube.com/watch?v=ZUg_MposOZ8

  14. Incredible, why can’t Microsoft make products that work as well.

  15. Simon, the banner test video also reveals the ICQ Number 616925144 which also leads to other sites like http://shadowcrew.ws/members/servicesno1.60705/

  16. Fraud is dummy proof. It remaind me times when i use to be in Business
    different job but still related with carding and online cyber-jobs
    i got logins. with good balance
    After cash out we shared profit With logs supplier.
    usually 50-60% deal.
    usually 2-3 logins per day. Cashed out.
    so usually about 2-5k per day.
    i was not professional some guys who i know they use to work
    with business and corp logins.
    they cashed out big. I was smaller.
    something went wrong and i did 4 months in jail.
    now im old man. and dont do nothing.just legimate business
    memories…memories

  17. The world needs a real deterrent to these crimes. I’m sure people will cry it’s not fair, and to harsh, but nothing is to harsh for someone who intentionally hurts others.

    Prisons are crime schools and fines mean nothing to those that can pay them with other peoples money.

    I believe in cutting fingers off of people who use these programs. No jail, no fines. Petty/single offence, loose a pinky. Wrote the program, loose all the fingers on one or both hands. Those that take pity and forgive these criminals unwittingly encourage and proliferate the crimes.

    • Yeah, who cares if they go on disability or welfare for the rest of their lives…!?

      • You’re showing to much pity, they get nothing. If their family/friends take pity on them, they can leach off of them.

        A great deterrent like this would save the world millions in fraud, even if it only cut it by 1/10. (pun intended)

  18. Help spread the rumor that these packages have a secret backdoor which allows the FBI to monitor & log the illegal activity. Many people are saying.. .

  19. Dont buy this soft !!
    Most of carding forums are scams too!!
    times are changed now !!
    Stupid young naive people willl
    take blame…its trap !!
    Dont get involved. Its not even just
    crime its trap
    stay away from those things

  20. Bromium defeats ransomware. Period.

    • Anon E. Moose

      A google search of Bromium brings up a link to a system that uses Xen to create micro VM to isolate the infection before it occurs. This is a great idea.

      • What is the point in isolating this or any infectious software? Wouldn’t it be better to inform the user that it found an infection then remove it?

        • Its safer to isolate without changing UX than letting it run on the host and hoping detection (AV) sees it. Let it run safely in a isolated microVM, record what it does and get forensics. you can alert the user too. After the file is closed the ransomware is tossed with the microVM and the file is quarantined.

          • Thats interesting considering that the only way the software would even be capable of isolating anything at all would be if it detects it in the first place. Otherwise, it would not know what to isolate (or quarantine).

            Equally interesting is that AV software is even a thought in this. As has been suggested In a few other places…..AV is all but dead.

            • AV isn’t quite dead, has its place. should it be relied upon to defeat attacks? No. Br doesn’t isolate based on whether a file or site is good or bad, just isolate anything untrusted, if its good so what? If its not, great you’re safe.

              • Anything untrusted? I can do that through the host file.

                So far, your not doing a good job of selling me on this.

                • Not the forum to go in to detail. Go check it out. Has nothing to do with the host file or anything the system itself trusts. i.e policy says trust *.mydomain.com then everything else is untrusted including email attachments, USBs and all other web sites etc.

                  • I understand your software doesn’t have anything to do with the host file. I’m saying I can use the host file to filter out the things your software filters out. Thereby making it useless to me. I already have the core function.

                    I don’t need to filter out my domain.com as long as I can filter out the craziness from destructive ads that can and will propagate infectious software. When my domayne.com is filtered out, you doesn’t come in. Even through email.

            • Bromium’s technology is really cool. Definitely worth consideration by enterprise/govt agencies – especially since they often cannot run fully patched due to system dependencies.
              May be friendlier to uniform environments without many generations of devices. IT team may need to have more awareness of chipsets in physical machines – even those underlying virtual servers.

              Wish they made a consumer version.

              Bromium could have quite the side business developing and selling exploit data to the AV firms to develop detection signatures.

  21. That’s why , if you have parents, grandkids, or those who click on any link you set them up with a decent wireless tablet based system. T can run Linux, windows, Apple or Android system. It doesn’t matter, but it is recoverable. Let them, your family and friends, click away on a cheap device, and keep their good stuff away from the net. A good ten inch tablet isn’t that much. Fifty sixty bucks, can pick up emails, can keep copies of photos to show, take pictures even. Even get the pictures off their phones. And if some freckle faced punk scrambles it. It’s pitchable, or recoverable to initial setup again. Well less then a bitcoin.

  22. I wish I had read the comments first because I reported the channel.

  23. The only thing missing seems to be a Gantt chart so you can see graphically the milestones and deliverables in your ransomware project.

  24. Where is the update or patch the blocks or removes this?

  25. Over the past few years, I’ve convinced everyone in my family to use Chromebooks. I sleep much better now. Nothing to fix. I don’t scold them for clicking on spam email links. I don’t care that the web sites they sometimes visit are full of infectious diseases.

    If some day there is a Chromebook virus, I can powerwash or reflash in minutes.

  26. I was too late to watch the video. It has already been taken down, “removed for violating you tube’s community guidelines”.

    • Yeah, that was probably my mistake. I didn’t realize this was Brian’s channel and I didn’t see any prequel warning about it being an example of ransomware advertising. I mistakenly thought this was a malware author hawking his malware on youtube so I reported the video.

      Sorry Brian.

  27. This is going to become a favorite for a lot of people to get back at their in-laws, ex-boyfriend, lawyer, dentist, helpdesk, banker, insurance, friends, office enemies, email lists, etc etc etc etc. I smell money. Kind of reminds me of the Ponzi schemes. Worse yet is that just clicking the video might have installed the software. :-)

  28. Krebs

    I heard russians have intranetwork which include private hacker and carding groups

    Is that true?

  29. The video has been taken down from youtube for violating community guidelines.