A new TOR site had popped up a few week ago called the Hall of Ransomware that is selling ransomware infections and unlocking services for some pretty hefty prices. For sale are the Locky ransomware for $3,000 and a supposedly new ransomware called Goliath for $2,100. They also claim to sell a USB key for $1,200, which "takes control of the virus and then unlocks your files and uninstalls Locky."  Overall, some pretty over-the-top claims for an anonymous dark web site.

Possible link to the Jigsaw Ransomware?

When you take all the wild claims, the broken spelling, and bad grammar into account, this site looks more like scammers trying to steal from other scammers.  What I found interesting, though, was a little snippet of HTML in the source of the website.  When examining the source code I saw that the meta description tag had the content as Jigsaw, which is also the name of a ransomware released in April.

Jigsaw Reference in Source Code
Jigsaw Reference in Source Code

When Jigsaw was released it had an almost amateurish feel as it was easily decrypted and highly destructive. The fact that we have a ransomware using the name Jigsaw and now a ransomware TOR site also called Jigsaw is too strong a coincidence.

The Hall of Ransom

The Hall of Ransom site is broken up into 4 pages. The first page is an introduction to the site, riddled with bad grammar and English.

Hall of Ransom
Hall of Ransom

The Locking page consists of two ransomware infections, Locky and a supposedly new one called Goliath. Goliath, which I have never see before, is supposedly based off of the source code of Locky . Some of its feature just do not make sense, such as the need for a high end GPU card, unless they are introducing a cryptocoin mining feature.  I and others have searched high and low for a sample of the Goliath ransomware, and if it exists, it is in almost non-existent distribution.

Locking Page
Locking Page

The site continues to become more bizarre with their claims that they sell a USB key for $1,200 that can supposedly take over Locky to decrypt the computer. It also makes no sense to sell it for this much when the current Locky ransom is around $250 USD.

Unlock Page
Unlock Page

Finally we have the contact form where a would be criminal can purchase their tools.

Contact Page
Contact Page

If any would-be criminals fall for these claims....well, sucks for you. Get an honest job.