Ransomware Crimeware Kits

In a recent blog we talked about Trojan.Ransomlock.K and the use of a control panel on a command-and-control (C&C) server which gave it the ability to serve localized social engineering messages to victims depending on their IP location. While at that time we had not yet encountered a crimeware kit for this threat, we have since seen it for sale on Russian underground forums. As seen in Figure 1, below, the ransomware crimeware kit is being sold under the name of Silence Of winLocker:

Figure 1. Russian forum advertising SilenceWinLocker (Babelfish translation)

Once purchased, the author offers a package which includes a builder for the ransomware Trojan.Ransomlock.K, the Silence Locker Control Panel, a manual, and ongoing support, all for the price of 2500 WMZ.

Figure 2. SilenceWinLocker Trojan builder (Trojan.Ransomlock.K)

A little research on the author reveals a history of other nefarious tool creations, such as one called Powermail Spammer. While the motives for anyone purchasing this crimeware kit may be clear to most people, the author in the user manual has added a brief disclaimer as a means to try and dissolve responsibility for its use in any criminal activity.

Figure 3. SilenceWinLocker Denial of Responsibility statement

This is a common defense tactic for authors of crimeware kits. While the law in many countries is not perfectly clear on this issue, in the case involving the Mariposa (Butterfly) crimeware-kit author known as Iserdo, an unsuccessful similar tactic of defense was presented on his website selling the Butterfly kit. Following an international law enforcement investigation, Iserdo was arrested by Slovenia police regarding the creation of the code behind the now infamous Mariposa botnet.

While Silence Locker may be helping to fuel the increase of ransomware threats seen in the wild today, it is by no means the only ransomware builder available to cybercriminals. Other freely available Trojan ransomware builders, such as MBRLocker builder seen in Figure 4 below, can be found on underground forums.

Figure 4. MBRLocker v0.2 Builder (Trojan.Bootlock.B)

This ransomware builder allows cybercriminals to create Trojan.Bootlock.B capable of infecting a victim's system Master Boot Record (MBR) . This allows the cybercriminal to prevent the operating system from loading at boot on the victim's system until a code is entered and instructions followed, as seen in Figure 5 below. This, in turn, makes it more difficult for mitigation of the threat once infected without the code.

Figure 5. MBRLocker infected system boot up ransom screen

Crimeware kits of all types, and their popularity among cybercriminals, is an ongoing problem. While there is money to be made from the creation of such kits and a lack of international law exists surrounding their creation, they will continue rise in sophistication and popularity.

As always, we recommend to stay vigilant when presented with any alerts and to ensure you have your antivirus up to date to help protect against such threats.