Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Create NEW Ransomware: Darknet Site Ransomware Scheme

leave a comment »

Surfing the darknet as I do, I came across this little gem of a site today. The idea here is that you can share in the bitcoin ransom by entering your wallet address and then getting a download of the malware to deploy wherever you like. This seems like a ponzi scheme to me where you offer a great reward for a little action and in the end you get ripped off but ok, let’s run with it. The site is in the darknet and I am not sure if or how they are publishing this site elsewhere so people can find it and use it. I must say though that the site is more complete than I thought it would be once you start to dig and the ransomware is new to me as well as it seems to be to VT and Hybrid.

So yeah, I decided to play along and I used someone’s wallet to start the process here. Who’s wallet you ask? Well this guy’s wallet will do since he has never had anything in it. So it’s fairly simple, you put in the wallet address then solve the captcha and lo and behold you download the ransomware. I also decided to see if I put in an alternate wallet address would I get another hashed file, and yes, yes I did. I only changed the wallet address by one letter (a) and got a new file that I uploaded to VT after the first one.

 

Upon upload to VT and Hybrid I get hits on the major players and the designation of the malware is of course ransomware but you choose the name you like because there are too many per the AV firms (please stop this)…

So yeah, the ransomware is not so stealth and likely anyone with current AV will have some intervention one hopes …But how many really keep their AV up to date and working?

*sigh*

Anyway, I uploaded it to Hybrid and got the following report and the second with the second sample here

 

The malware reaches out to the darknet via .casa online bridge to the darknets. Once you plug in that address you get the Qrypter site frontend. This site is your C&C ostensibly to track your malware and your bitcoin “donations” from the poor sods who get the malware. The unfortunate bit is that when you go to the url that is in the malware you get the following sad news:

OH NOES! Are you smelling a scam? Cuz I am kinda smelling a scam here now…

Anywho, the interesting bit for the site itself is that it has a display on how many AV vendors are seeing the malware and as of today it’s… Wrong?

Mmmmmmyeaahhhh no, I see 14 vendors seeing this as malware and I have just added to the hash pile by uploading my samples here so that is likely to get even more detected as the day passes on. So, this is an interesting turn in malware as a service, or in this case Ransomware As A Service (RAAS) as I have seen out there on the net. I have captured the whole site in the darknet and I will be spending some more cycles on the malware later on so updates will likely follow on this post. For now though, just enjoy the novelty and the derp.

Cheers,

K.

UPDATE: This is evidently a new replay of something seen in 2017

Written by Krypt3ia

2018/02/19 at 15:49

Posted in DARKNET, Malware, Ransomware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: