Shifr RaaS lets create a simple ransomware with just 3 steps

Over the weekend, security experts discovered a new Ransomware-as-a-Service dubbed Shifr RaaS that allows creating a ransomware compiling 3 form fields.

Ransomware represents a profitable business for crooks, it is normal that the offer of Ransomware-as-a-Service (RaaS) will continue its success in the cyber criminal ecosystem.

Over the weekend, several security experts discovered a new Ransomware-as-a-Service website that allows wannabe cyber criminals to create their own ransomware just by filling in three form fields.

The website was hosted on the Dark Web and customers can pay their ransomware in Bitcoin.

This is probably one of the easiest-to-use RaaS websites, the ransomware was dubbed Shifr due to the extension it appends to the encrypted files and is written in Go.

“We’ve called it Shifr based on the extension it adds to encrypted files, but G Data security researcher Karsten Hahn has told Bleeping Computer that an initial analysis of this new threat reveals clues that Shifr might be related to Trojan.Encoder.6491, the first ever ransomware written in Go, discovered last year by Dr.Web security researchers.” states a blog post published by BleepingComputer.

The process for the creation of the Shifr ransomware is simple, wannabe criminals have to provide the size of the ransom demanded by the malware, a Bitcoin address to handle victims’ payments and then they have to solve a CAPTCHA challenge and press a button.

“While other RaaS portals will ask for an entry fee or verify their clients to ensure only skilled crooks (and not security researchers) get their hands on ransomware samples, this service offers a fully weaponized sample in a few easy steps.” states Catalin Cimpanu from BleepingComputer.

After the deployment of the service, users started submitting Shifr samples to VirusTotal and many antivirus makers are currently detecting them as a threat.

Differently, from other RaaS services, operators behind Shifr maintain for them just 10% of the fee, it nothing is we consider that operators behind the Cerber RaaS keep for them 60% share.

We cannot exclude in this phase that the Shifr RaaS is a scam and that operators will not pay distributors their cuts.

The unique certainly is that the ransomware is not sophisticated and lack of many features, a circumstance that suggests it could be a work in progress project.

The researchers, for example, noticed that the crooks used the same servers to host the payment portal and the RaaS service, it isn’t a good practice.

It is quite easy to predict the rapid diffusion of RaaS services in the next month.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shifr RaaS, ransomware)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.