FAKBEN Ransomware-as-a-service emerges from the underground

FAKBEN is offering a professional Ransomware-as-a-service that relies on a new CryptoLocker ransomware which can be downloaded through the executable file.

Ransomware is probably the most popular category of malicious code in this period, this week we have discussed a malicious code that infected the UK Parliament, an off-line ransomware and a Linux.Encoder1 ransomware revealing the decryption key.

News of the day is that a new Ransomware-as-a-service surfaces from the criminal underground, requesting customers 10 percent profit cut.

The FAKBEN Team is offering a professional Ransomware-as-a-service that relies on a new CryptoLocker ransomware which can be downloaded through the executable file. Users can customize their CryptoLocker variant and manage the campaign by using the CryptoLocker service developed by FAKBEN.

The service allows users to send the ransomware to a specific victim to ask for ransom money, the CryptoLocker service exploits the Tor Network to host a Hidden Service (https://24fkxhnr3cdtvwmy.onion/).

Customers can choose the total amount of victim to pay and the BTC wallet of destination.

“A new service launched this week is offering a new Ransomware product under the name CryptoLocker to anyone willing to pay ten percent of the collected ransom. In addition to the core Ransomware product, the ultimate goal of the business owner is to implement additional functions to the malware including linking it to recently produced exploits.” states a post published by Salted Hash. “Called CryptoLocker Service, the new venture launched this week on a standalone Darknet website. The new venture is being run by a person using the handle Fakben.”

Customers of the FAKBEN  ransomware-as-a-service have to US$50 to download the CryptoLocker executable file, when one of the victims pay the ransom, the VXers keep 10 percent of the sum.

“You can download CryptoLocker executable file for $50 . When you have done the payment you will immediately be enabled to the building source of the ransomware so you can specify the amount of money you want to receive and the address destination for BTC. When crytpolocker file is executed to the victim’s machine it crypts all files. ” states FAKBEN.

“Then an automatic window is opened and is asked to the victim to pay in order to get the key for the decryption of the files. When the person pays for files decryption is important to be loyal and give him/her the key for the decryption. When money is payed we will take 10% for the service and then the other amount will be sent to the address you specified before.”

FAKBEN ransomware-as-a-service included a user-friendly interface that will show the number of infected machines and ransoms paid. This specific Ransomware-as-a-service surfaces is still not active, it will be launched in the coming days.

FAKBEN explained that the code used by the platform is completely different from the one of the original Cryptolocker, the malware actually only runs on Windows machines but there are plans to make it multiplatform.

Fakben explained that the ransomware cold be customized by adding a number of exploits targeting vulnerabilities in products such as Adobe and Java.

“Those additional services are not part of the core product. If they’re used, the customer would still pay the opening $50 USD fee, plus the exploit cost and development cost, as well as the ten percent commission on each ransom paid.” states Salted Hash.

Ransomware-as-a-service is not a novelty in the criminal ecosystem, recently crooks launched a similar service, the Tox ransomware-as-a-service, that anyway had no success and its creators decided to offer it for sale in the underground.

Pierluigi Paganini

(Security Affairs – Ransomware-as-a-service, cybercrime)