Tuesday, 26. July 2016

Economics Behind Ransomware as a Service: A Look at Stampado’s Pricing Model

Ransomware have become such a big income earner for cybercriminals that every bad guy wants a piece of the pie. The result? More tech-savvy criminals are offering their services to newbies and cybercriminal wanna-bes in the form of do-it-yourself (DIY) kits—ransomware as a service (RaaS).

About two weeks ago, a new breed of ransomware dubbed “Stampado” (detected by Trend Micro as RANSOM_STAMPADO.A) surfaced. Security researchers did not initially find samples of the threat even if it made headlines for being cheap (despite being “easy to manage,” according to its creators) for such a package—only US$39 for a “lifetime license.”



Figure 1. Stampado ad found in the Deep Web

Analysis revealed that Stampado appears to mimic Jigsaw—one of the more prominent ransomware variants to date. Both variants delete random files after a certain period of time to scare affected users into paying the ransom.

Figures 2 and 3. Comparison of ransom notes of Stampado (left) and JIGSAW ransomware (right) (Click to enlarge)

Stampado and Jigsaw both encrypted files using AES and locked down users’ computers. The similarities end there though. A closer look revealed that Stampado was coded using AutoIT, which is easy to decrypt and analyze, indicating that it may not be as sophisticated as Jigsaw in terms of routine.

Jigsaw also had specific instructions for purchasing Bitcoins to pay the ransom while Stampado only provided an email address for affected users to contact if they want access to their files back. In addition, Stampado only searched for files to encrypt in the %All Users Profile% and %User Profile% folders while Jigsaw scanned all available drives. But unlike Jigsaw, which gave victims 24 hours to pay the ransom or lose one file per day of nonpayment, Stampado only gave victims 6 hours to pay or lose one file per hour of nonpayment. Stampado gave victims 96 hours before all files held hostage are deleted; Jigsaw only gave 72.

Ransomware as a Service (RaaS)

The law of supply and demand also applies to the ransomware business model. In the course of monitoring the various underground markets over time, we noticed a fluctuation in ransomware prices. In 2012, ransomware services (which can be likened to today’s RaaS offerings) in the Russian cybercriminal underground only cost US$10–20. This included a Windows blocker or a piece of malware “that paralyzed a system’s OS.” This didn’t allow the criminals to hold data for ransom though. In addition, ransomware then weren’t as in demand then compared to now, which could explain why they were sold more cheaply.

As more users and even organizations succumbed to paying the ransom just to get access to their files and systems back, it was natural for cybercriminals to hike the threat’s price up. In the Brazilian underground market, for instance, a multiplatform ransomware offering cost US$3,000 last year.



Figure 4. Ransomware ad in the Brazilian underground market

At present, RaaS prices are decreasing again. This can be due to the fact that because there’s a market for the threat, more malware creators are offering their illicit wares, leading to an increase in competition and consequently a drop in prices. Stampado’s creators could be banking on the fact that to bad guys, it doesn’t matter if a piece of ransomware is sophisticated or if it’s just a poor imitation of more popular variants. As long as it works and can earn cybercriminals a quick buck, it just might sell.

Multilayered protection against ransomware

Infecting systems with ransomware is a lucrative business and will continue to be so. RaaS, unfortunately, makes it easy for even nontech-savvy criminals to make money even with less-sophisticated tools. Enterprises and users can, however, stay protected from ransomware with a multilayered defense strategy.

Trend Micro protects enterprises’ gateways, endpoints, networks, and servers. Enterprises can use Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security to block ransomware at the exposure layer—Web and email. Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other suspicious activities associated with attempts to inject ransomware into networks.

At the endpoint level, Trend Micro Smart Protection Suites detect and stop suspicious behaviors and exploits associated with ransomware via behavior monitoring, application control, vulnerability shielding, and Web reputation features.

SMBs can stay protected with Worry-Free™ Services Advanced’s cloud security, behavior monitoring, and real-time Web reputation for devices and emails. For home users, Trend Micro Security 10 provides robust protection against ransomware by blocking access to malicious websites, malicious emails, and files associated with threats like Stampado.

Additional insights by Ryan Flores, Stephen Hilt, and Kyle Wilhoit 

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Economics Behind Ransomware as a Service: A Look at Stampado’s Pricing Model