In today's digital threat environment, the common computer criminal wants two things: money and safety. They want to get a high return on investment for their efforts, but they don't want to get caught. By meeting those two demands, a criminal ensures they have the resources and freedom necessary to plan out future attacks. These bad actors get what they want by carefully choosing their tools and techniques. One such implement, in particular, stands out: crypto-ransomware. Recently, the security community has witnessed a growing number of ransomware attacks. Those incursions have at times outweighed other malware campaigns in their frequency. Travis Smith, a senior security research engineer at Tripwire, attributes this disproportionate rise in appeal to the manner in which ransomware works:
"Criminals need very small payloads with little to no command and control communication to infect and control their targets. The point of ransomware is to be detected, not prevented. This is why it seems like there is much more ransomware currently than other types of malware. It’s just as easy to infect a computer with ransomware as with any other type of malware."
Smith also notes the return on investment for ransomware authors and practitioners is estimated to be over 1,400 percent, which helps to explain why many attackers go with a crypto-malware variant for their campaigns. Not all attackers have the necessary amount of technical expertise or money needed to create ransomware on their own, however. Fortunate for them, those operating in the dark web are willing to sell licenses for their creations to less experienced attackers. This underground business model is known as ransomware-as-a-service (RaaS). Innovation never ceases in the RaaS world. Case in point, internet security firm Heimdal Security recently detected a new ransomware-as-a-service being advertised on the digital underground. Those who created the RaaS, which goes by the name "Stampado," are marketing it to customers who can't afford a license for other, better-known ransomware families. As they explain in a slightly awkward, grammatically incorrect sales pitch:
"You always wanted a Ransomware but never wanted two pay Hundreds of dollars for it? This list is for you! Stampado is a cheap and easy-to-manage ransomware, developed by me and my team. It’s meant two be really easy-to-use. You’ll not need a host. All you will need is an email account."
For 39 USD, Stampado's authors give customers a lifetime license to the ransomware. Andra Zaharia, a security specialist at Heimdal, explains this low price is strategic. As quoted by International Business Times:
"Stampado is definitely cheap. Ransomware-as-a-service is usually sold as a subscription-based service and it costs around a few hundred dollars. While there is no definitive benchmark to judge this by, from the data we have at the moment, we can say that this is fairly accessible. The reason Stampado creators priced their ransomware this low could be that they aim for widespread distribution and to appeal to less experienced malicious hackers who also want to get in on the action."
The RaaS doesn't need administrator privileges to infect a computer. Upon successful infection, Stampado appends ".locked" to every file it encrypts. It then demands the victim pay the ransom of one Bitcoin (approximately 660 USD) within 96 hours. If the victim fails to comply in a timely manner, the ransomware begins to delete a random file from the victim's PC every six hours. The authors of Stampado claim their creation comes with the same functionality as CryptoLocker and other more popular ransomware. They also state the RaaS actually beats out its competitors in terms of flexibility:
"The file can be sent in the following formats: exe, bat, dll, scr, and cmd. You can also use binders, packers and crypter."
Stampado's emergence is another indication that ransomware won't be going away anytime soon. With that in mind, organizations and users alike should develop a data backup plan in the event they find themselves victim of a ransomware infection. For ransomware prevention tips, please click here.
