Managed Ransomware-as-a-Service spotted in the wild

By Dancho Danchev

Over the past several quarters, we’ve witnessed the rise of the so called Police Ransomware also known as Reveton.

From fully working host lock down tactics, to localization in multiple languages and impersonation of multiple international law enforcement agencies, its authors proved that they have the means and the motivation to continue developing the practice, while earning tens of thousands of fraudulently obtained funds.

What’s driving the growth of Police Ransomware? What’s the current state of this market segment? Just how easy is it to start distributing Police Ransomware and earn fraudulently obtained funds in between?

In this post, I’ll profile a recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users, and for the first time ever, offer an inside peek into its command and control interface in order to showcase the degree of automation applied by the cybercriminals behind it.

More details:

Sample underground forum advertisement of the managed DIY Police Ransomware service:

According to the advertisement, the actual malicious executable is both x32 and x64 compatible, successfully blocking system keys and other attempts to kill the malicious application. The cybercriminals behind the managed service have already managed to localize their templates in the languages of 13 prospective European countries such as Switzerland, Greece, France, Sweden, Netherlands, Italy, Poland, Belgium, Portugal, Finland, Spain, Germany, and Austria.

The price for the service? $1,000 on a monthly basis for a managed, bulletproof command and control infrastructure.

Just how sophisticated is the command and control interface? Let’s take a closer look into a sample command and control screenshots released by the cybercriminals behind the service in order to demonstrate its usefulness.

Sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:

As you can see in the attached screenshot, thousands of users are being successfully infected with the ransomware variants, with the command and control service capable of displaying statistics for the affected countries, and the operating system in use by the affected parties.

Second sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:

The managed service relies primarily on the Ukash voucher-based payment system, and the command and control interface conveniently displays the voucher codes and their monetary value, allowing the users of the service an easy way to claim the money from the vouchers.

We’ll continue monitoring the development of the DIY managed ransomware service.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

11 thoughts on “Managed Ransomware-as-a-Service spotted in the wild

  1. One of my customers (I’m a pc tech) had this virus today. Booted in safe mode, kicked off system restore to a date prior to infection. This virus was now gone but previous infections were reinstated and had to remove those again.
    I was surprised that SecureAnywhere could not detect/remove this virus in either normal or safe mode.

  2. I recently was infected with one of these programs. By going into safe mode and using a past restore point my computer started to work properly again. But a week later it popped up again. I am not sure if Webroot is finding the infection. My last scan found the following: CSRSS.dll W32 Rogue.Gen. Do you know if this is the virus?

  3. Hello Dave and cathousejack,

    My name is Tyler and I work as Threat Research in Webroot. I’d be more than happy to assist both of you in your recent infection.

    Webroot has advanced heuristics that will be monitoring malicious activity on any process – even if there isn’t a determination on it yet. What most likely happened was a zero day variant that wasn’t yet classified as malicious. In any event you can still remove these infections as soon as they hit with relative easy using some advanced controls on your Webroot. Please follow the below instructions:

    If your computer is inoperable in normal mode, please boot into safe mode with networking.

    Open Webroot
    Click on the “System Tools” tab
    Click on “System Control” on the side
    Click “Start” under control active processes
    Look for suspicious executables, which have been set to Monitor.

    Such files often run from these locations on your computer: %Programdata%, %appdata% or %temp% locations. Examples include:

    C:\Documents and Settings\All Users\Application data\xjspw2r\xjspw2r.exe
    C:\Documents and Settings\%username%\Local Settings\ApplicationData\dim.exe

    Note: monitored files may be legitimate files that simply behave suspiciously. Unless you are certain that the file is malicious, we recommend uploading these files to for malware verification. Keep in mind, some of the vendor results may be false positives.

    Once you have confirmed that the files in question are malicious, change the setting to Block.

    Run a new scan with SecureAnywhere.

    This should remove your Zero day variant that we may not yet have a determination for. We can then analyze logs from your system and add the threat to our database of malware determinations. This will help us prevent you and other customers from falling victim to this particular piece of malware in the future.

    If you wish to open a ticket with us open Webroot and click on
    the link at the bottom for Webroot support.

    Thank you,

    Tyler M
    Threat Research

    • Thank you Tyler. I followed your advice but it’s a little beyond my knowledge to completely understand what I am to do. Below is what I found. I have no idea where to go from here. – cathousejack

  4. Hello Cathouse jack

    If you find the above instructions to be a little overwhelming we can always remote onto your computer and do this for you – free of charge. Just call 866-612-4227 and we’ll get this sorted.

    If you wish to continue support with me, I’ll have instructions below on how to gather log files and then return them to me. With these logs I’ll evaluate them and find a solution. Please follow the below instructions.

    Please do this on the computer that is having the issue.

    First please boot your computer into SAFE MODE WITH NETWORKING. (if you don’t know how I will type instructions for you below)

    Turn off computer
    Turn on computer and start tapping the F8 key repeatedly
    Eventually you will be presented with a black screen with white lettering saying “advanced boot options” (if you don’t start over from the beginning)
    On this screen use your up and down arrow keys to select “SAFEMODE WITH NETWORKING”
    Press Enter, Press Enter again, let windows boot up.

    Open Webroot.
    1. Click PC Security tab.
    2. Click the Custom Scan link.
    3. The default scan option is “Deep”. Click Scan.

    Once that completes, let’s gather log files.

    1. Download Webroot’s log-gathering utility from the following link:

    2. Save the file to your Desktop (or the preferred Download folder of your web browser).

    3. Once it has finished downloading, double-click the wsalogs.exe file on your Desktop to run it.

    4. In the box labeled “Email:”, enter your email followed by “cathousejack” so I know these are your logs.

    5. Click the “Go!” button to begin the log gathering process.

    Expect the utility to take between 1 to 10 minutes to gather the necessary information. The run time depends on various factors on your computer, including the size of the Webroot software logs and the compression speed of the computer. This utility is designed to gather extended logs from the Webroot software and basic system information.

    The utility will gather the necessary information and will attempt to return it automatically via a secure dropbox connection (please allow PSCP.exe through your firewall, if asked). A copy of the logs will also be present on your Desktop, named in the following fashion “wsalogs_email@you.set_date-time.7z”. The utility will then attempt to return you to this web page, please leave a message letting us know you have sent the requested logs.

    Thank you,

    Tyler M
    Threat Research

    • Thank you Tyler. I will get on this ASAP. I really want to nip this one and give you what you need so you can prevent this from happening to any of your other customers. It may take me a few days to complete this. I really appreciate your help.

  5. Pingback: Novice cybercriminals experiment with DIY ransomware tools « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: A peek inside a DIY password stealing malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  7. Pingback: Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted fraudulent campaigns | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  8. Pingback: Managed ‘Russian ransomware’ as a service spotted in the wild | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  9. Pingback: How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s