Shifr RaaS lets create a simple ransomware with just 3 steps

Over the weekend, security experts discovered a new Ransomware-as-a-Service dubbed Shifr RaaS that allows creating a ransomware compiling 3 form fields.

Ransomware represents a profitable business for crooks, it is normal that the offer of Ransomware-as-a-Service (RaaS) will continue its success in the cyber criminal ecosystem.

Over the weekend, several security experts discovered a new Ransomware-as-a-Service website that allows wannabe cyber criminals to create their own ransomware just by filling in three form fields.

The website was hosted on the Dark Web and customers can pay their ransomware in Bitcoin.

This is probably one of the easiest-to-use RaaS websites, the ransomware was dubbed Shifr due to the extension it appends to the encrypted files and is written in Go.

“We’ve called it Shifr based on the extension it adds to encrypted files, but G Data security researcher Karsten Hahn has told Bleeping Computer that an initial analysis of this new threat reveals clues that Shifr might be related to Trojan.Encoder.6491, the first ever ransomware written in Go, discovered last year by Dr.Web security researchers.” states a blog post published by BleepingComputer.

The process for the creation of the Shifr ransomware is simple, wannabe criminals have to provide the size of the ransom demanded by the malware, a Bitcoin address to handle victims’ payments and then they have to solve a CAPTCHA challenge and press a button.

“While other RaaS portals will ask for an entry fee or verify their clients to ensure only skilled crooks (and not security researchers) get their hands on ransomware samples, this service offers a fully weaponized sample in a few easy steps.” states Catalin Cimpanu from BleepingComputer.

After the deployment of the service, users started submitting Shifr samples to VirusTotal and many antivirus makers are currently detecting them as a threat.

Differently, from other RaaS services, operators behind Shifr maintain for them just 10% of the fee, it nothing is we consider that operators behind the Cerber RaaS keep for them 60% share.

We cannot exclude in this phase that the Shifr RaaS is a scam and that operators will not pay distributors their cuts.

The unique certainly is that the ransomware is not sophisticated and lack of many features, a circumstance that suggests it could be a work in progress project.

The researchers, for example, noticed that the crooks used the same servers to host the payment portal and the RaaS service, it isn’t a good practice.

It is quite easy to predict the rapid diffusion of RaaS services in the next month.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shifr RaaS, ransomware)

[adrotate banner=”13″]