BleepingComputer reported that the developers of the Petya and Mischa ransomware packages have embraced a new business model: ransomware-as-a-service (RaaS).

Supposedly, this has been in a limited beta release for the last few months with “a limited amount of supposed high-volume distributors.” However, any cybercriminal can now apply to become an affiliate of the RaaS program.

For Cybercriminals, By Cybercriminals

In an advertisement reproduced by BleepingComputer, the developers boast of the ransomware’s high infection rate. The ad reads, “As professional cybercriminals, we know you can’t trust anyone. So we developed a payment system based on multisig addresses, where no one (including us) can rip you off.”

Further, the developers tout their easy methods of viewing the latest infections, setting the ransom price and recrypting the binary. This can all be done with a “clean and simple web interface.”

The payment scheme is based on bitcoin. If the weekly volume is less than 5 BTC, then a 25 percent cut goes to the associate. If the volume is less than 25 BTC per week, the cut grows to 50 percent. If it goes over 125 BTC per week, the associate’s cut balloons to 85 percent.

FUD and Crypting Included

In addition to the new combined Petya/Mischa offering, it is significant to note the FUD and evasion offering that the authors make explicit on the welcome page. Free crypting and FUD services are included for those enrolled.

This means that the ransomware authors are providing assurance that client binaries will go undetected. True cybercriminal customer support is part of this deal.

All “high-volume distributors” receive a unique stub. This step assures evasion because a malware-checking program will not know this stub and may miss it during scans.

RaaS Poses a Real Threat

“Petya is considered by malware experts to be above average in terms of sophistication, which makes it surprising to see it spring up so quickly as a pseudo-public ransomware-as-a-service (RaaS) offering,” Cylance noted. “From a code and execution perspective, it is far beyond previous offerings, including the likes of Tox, Ransom32 and especially the Goliath offering from ‘Hall of Ransom.'”

It is unusual to see this level of ransomware promoted and pumped like this. Malware authors usually syndicate only when the ransomware is at the end of its utility, trying to wring every last drop of profit.

But Petya is still a real threat, and this level of distribution can only mean increased attacks.

more from

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…