Petya and Mischa Go RaaS

July 28, 2016 @ 2:00 PM
| |
2 min read

BleepingComputer reported that the developers of the Petya and Mischa ransomware packages have embraced a new business model: ransomware-as-a-service (RaaS).

Supposedly, this has been in a limited beta release for the last few months with “a limited amount of supposed high-volume distributors.” However, any cybercriminal can now apply to become an affiliate of the RaaS program.

For Cybercriminals, By Cybercriminals

In an advertisement reproduced by BleepingComputer, the developers boast of the ransomware’s high infection rate. The ad reads, “As professional cybercriminals, we know you can’t trust anyone. So we developed a payment system based on multisig addresses, where no one (including us) can rip you off.”

Further, the developers tout their easy methods of viewing the latest infections, setting the ransom price and recrypting the binary. This can all be done with a “clean and simple web interface.”

The payment scheme is based on bitcoin. If the weekly volume is less than 5 BTC, then a 25 percent cut goes to the associate. If the volume is less than 25 BTC per week, the cut grows to 50 percent. If it goes over 125 BTC per week, the associate’s cut balloons to 85 percent.

FUD and Crypting Included

In addition to the new combined Petya/Mischa offering, it is significant to note the FUD and evasion offering that the authors make explicit on the welcome page. Free crypting and FUD services are included for those enrolled.

This means that the ransomware authors are providing assurance that client binaries will go undetected. True cybercriminal customer support is part of this deal.

All “high-volume distributors” receive a unique stub. This step assures evasion because a malware-checking program will not know this stub and may miss it during scans.

RaaS Poses a Real Threat

“Petya is considered by malware experts to be above average in terms of sophistication, which makes it surprising to see it spring up so quickly as a pseudo-public ransomware-as-a-service (RaaS) offering,” Cylance noted. “From a code and execution perspective, it is far beyond previous offerings, including the likes of Tox, Ransom32 and especially the Goliath offering from ‘Hall of Ransom.'”

It is unusual to see this level of ransomware promoted and pumped like this. Malware authors usually syndicate only when the ransomware is at the end of its utility, trying to wring every last drop of profit.

But Petya is still a real threat, and this level of distribution can only mean increased attacks.

Larry Loeb
Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE mag...
read more