I managed to compromise one user's machine of underground commuity called "Alphabay" and intercepted their chat over jabber (Pidgin)...I know it's not legal but imo we have to use the same methods to conquer them. I never doxed his identification and not deanonymised him.
(23:54:34) The following message received from email@example.com was not encrypted: [Hello friend]
(23:54:35) The following message received from firstname.lastname@example.org was not encrypted: [You here ?]
(08.09.2016 0:40:26) Attempting to start a private conversation...
(0:40:26) SkrillGuide2015: Yes! Hey
[Image] (0:40:28) Unverified conversation with email@example.com/The_Rainmaker started. Your client is not logging this conversation.
(0:40:32) SkrillGuide2015: How are you doin'?
(0:41:43) firstname.lastname@example.org: Good friend
(0:42:09) email@example.com: I start sell Philadelphia today friend
(0:42:27) firstname.lastname@example.org: Look if you have interest
(0:42:28) email@example.com: Description about Product:
Conquer your Independence with Philadelphia! Get an Advanced and Customisable Ransomware at a Lifetime License!
Philadelphia innovates the Ransomware Market by presenting several features that makes it possible to manage a very advanced Ransomware attack with a cheap maintenance price (it can even be zero)! It's also autonomous, with Autodetected Bitcoin Payments! Just spread and wait for the money to come ;-)
By buying Philadelphia, you'll receive an all-in-one software that will allow you to make unlimited builds.
Everything is customisable:
- You can set the folders where the Ransomware will look for files as well as the depth/recursion level
- You can set the extensions, you can enable, disable and define intervals for the deadline and the russian roulette (as well as editing how many files are deleted on every russian roulette interval and whether the files or the crypt key gets deleted once the deadline ends
- You can edit file icon and Mutex
- You can edit the UAC (user access control) in four available options: (1) do not ask for admin privilleges; (2) ask and insist until it is given; (3) ask but run anyway even if it is not given; (4) ask and give up if it is not given
- You can edit all the interface texts as well as add multiple languages to the same file (it will detect the machine language and display the texts you edited for that locale or a default/fallback one)
- You can enable or disable USB infect, network spread and Unkillable Process, as well as set the process name
The Philadelphia Headquarter is a software that works on your machine and allows you to generate unlimited builds, see the victims on a map and on a list (with country flags and all the data you need) and also a "Give Mercy" button if you're too good 0:)
But the coolest Philadelphia feature (and what makes its maintenance so cheap) is that, instead of huge servers on our controls where you must pay high amounts monthly, we present you the "Bridges". Bridges are the way victims and attacker enters in touch in a distributed network. It's simply a PHP script that uses itself as database (no MySQL or whatever needed, just PHP). Bridges store the clients keys, verifies payments and provide the victims informations to the headquarters safely. And they can be hosted on nearly any server: even hacked servers, shared hosting (free hosting works but it is not recommended as they can delete your account if it's not a fully functional website), dedicated or VPS (recommended for bigger attacks, although the requests are small and are only done a few times). As the bitcoin payment verification is done on the server side, by the bridge, there is no way to spoof it on the victim machine. Also, the distributed bridges network will grant a better anonimity.
Everything very well documented on a plain-english help file!
(0:42:41) SkrillGuide2015: ohh
(0:44:49) firstname.lastname@example.org: Have interest ?
(0:44:54) SkrillGuide2015: WOW!!
(0:44:57) SkrillGuide2015: yeah!
(0:45:02) SkrillGuide2015: whats the price maan???
(0:45:08) email@example.com: $400 friend
(0:45:18) firstname.lastname@example.org: But how I know you
(0:45:21) email@example.com: I can give discount
(0:45:26) firstname.lastname@example.org: $350
(0:45:29) email@example.com: *
(0:45:32) firstname.lastname@example.org: You help me a lot
(0:45:35) SkrillGuide2015: Thats great!
(0:45:52) SkrillGuide2015: no problems mate...I like help others by nature
(0:46:13) email@example.com: Great guy
(0:46:44) SkrillGuide2015: I will talk with my friend now...he must send me coins...or at max I will buy it on next Monday.. Lets' see how this best works..
(0:46:52) SkrillGuide2015: I have some questions..can i ask?
(0:46:57) firstname.lastname@example.org: Yes
(0:47:12) SkrillGuide2015: Is encrrpyting algorithm is different than in Stampado?
(0:47:19) SkrillGuide2015: I mean is it faster?
(0:47:44) email@example.com: Little more faster
(0:47:51) firstname.lastname@example.org: But all ransomwares work in same way
(0:48:22) SkrillGuide2015: Are you considering to make a low-level ransomware?
(0:48:39) SkrillGuide2015: I mean which will encrypt whole HDD not files
(0:48:57) SkrillGuide2015: Anyway very interested in this man
(0:49:25) SkrillGuide2015: Let's see what an amazing article WSJ will post about..I know you paid them for marketing LOL :D
(0:50:07) email@example.com: Ransomware cant encrypt all HD because can corrupt system
(0:51:48) firstname.lastname@example.org: This only rewrite MBR
(0:51:50) email@example.com: No big deal
(0:51:55) firstname.lastname@example.org: and is no automatic payment
(0:52:39) SkrillGuide2015: ok, but I would be really happy to see how your Philadelphia works..with its nice-looking panel
(0:52:51) email@example.com: yes friend
(0:52:59) firstname.lastname@example.org: I start spread today
(0:53:04) email@example.com: I want infect 20k today
(0:53:06) firstname.lastname@example.org: Until now
(0:53:09) email@example.com: 2,7k
(0:53:11) firstname.lastname@example.org: infected
(0:53:14) SkrillGuide2015: wow great
(0:53:37) SkrillGuide2015: As you are programmer and maybe you know....where can I rent exploit kits such as Angler and Neutrino?
(0:53:46) SkrillGuide2015: do you know any marketplaces or links?
(0:53:49) email@example.com: Yes
(0:53:51) firstname.lastname@example.org: I use neutrino
(0:53:55) SkrillGuide2015: cool
(0:53:56) email@example.com: Is good
(0:54:00) firstname.lastname@example.org: Me and one friend use
(0:54:03) email@example.com: But is expansive...
(0:54:30) SkrillGuide2015: I know what is price of it...and please tell me I want to talk with its developer, please give me link if possible
(0:55:18) firstname.lastname@example.org: I send contact for neutrino
(0:55:20) email@example.com: is
(0:55:23) firstname.lastname@example.org: 4k month for rent
(0:56:36) SkrillGuide2015: I know its expensive...I have guys who are ready to pay such....please if you can give me link to that it would be great...I would spread this and stampado along the way together
(0:56:56) email@example.com: Talk with this guy: firstname.lastname@example.org
(0:57:03) SkrillGuide2015: currently I am using RAT and buying bots but these bots are coming from poor asian countries
(0:57:03) email@example.com: But
(0:57:16) firstname.lastname@example.org: Only add if you go rent, if you add only for make questions
(0:57:20) email@example.com: Him block you
(0:57:26) firstname.lastname@example.org: lol
(0:57:29) SkrillGuide2015: lol
(0:57:30) SkrillGuide2015: ok
(0:57:36) SkrillGuide2015: thanks mate...appreciate it
(0:57:47) SkrillGuide2015: where he promotes his product?
(0:57:55) SkrillGuide2015: on exploit.in or somewhere else?
(0:58:00) email@example.com: exploit.i
(0:58:02) firstname.lastname@example.org: yes
(0:58:10) SkrillGuide2015: ok mate
(0:58:11) SkrillGuide2015: thanks
(0:58:22) email@example.com: No problem
(0:58:31) firstname.lastname@example.org: I wait you for buy Philadelphia
(0:58:39) SkrillGuide2015: ;)
I checked myself the "store" of user @The_Ranimaker on Alphabay and seems like he is selling his ransomware only privately.
During my research I found that most of users of Stampado used to spread it thru email spams but mostly thru freelancing websites such as Freelancer.com, Upwork.com, peopleperhour.com, guru.com and etc. showing them as a legitimiate hiring managers they were forcing freelancer to execute their payload "just to see if it works on their machine" - they say. So, please everybody use only updated antiviruses/antimalwares...when you see some suspicious file check it on virustotal.com before executing...cyber-crooks can bypass antiviruses too, by crpyting and obfuscating their malicious codes so please be on the watch...I just don't want to you "all the members of this community" become victims of ransomware cuz it really hurts when you lose so many valuable files...Also, reading this conversation we can see that they are using strong exploit kits like Angler and Neutriono, so do not visit the websites you don't actually need to visit or those that you don't trust...and update all your softwares to patch existing vulnerabilities.