A new Ransomware as a Service, or RaaS, called the Cryptolocker Service is getting ready to launch that would allow any would-be criminal to enter the ransomware game. This new RaaS, first seen by Steve Ragan, is being created by a development group called the Fakben Team and allows an affiliate to buy into the program for $50 USD. Once an affiliate pays the signup fee, they will supposedly be given access to the ransomware executable, which is then their responsibility to distribute as they see fit. An affiliate also has the ability to configure a custom ransom amount. The Fakben Team will then take 10% of the total ransom as a commission for the affiliate using their service and send the rest to the affiliate's configured bitcoin address.
When a visitor goes to the Cryptolocker Service site they will be presented with an about page that contains information about the RaaS offering and how users can signup to use it. The content of this page explains how the service works, what the affiliate's responsibilities will be, and how much it costs to be part of the program. An interesting portion of text highlights how these malware developers look at what they are doing.
We will keep on working in the settings of the cryptolocker, improving methods for undetection to AV. We will give all the support that costumers need through Jabber service. Is not our interest who will be infected or which kind of methods you will do, is important for you to use brain and intelligence in order to spread it. Thanks for your attention.
― FAKBEN Team
One of the common questions we receive from victims is how could someone do something like this to them. The reality is that these developers look at it as a business, do not care that they are breaking the law, and for the most part have absolutely no regard for the problems they are causing their victim.
The full text of the about page can be seen in the screenshot below, which can be clicked on to see the full size.
The Cryptolocker Service site also includes a news feed page that contains the latest news from the developers. The latest news is from November 12, 2015 that states that the service will be available in the next few days.
When a visitor signs up for the service they will be required to enter a login name, password, and bitcoin address that their ransomware payments will be sent to. Once they are registered, they can login and view their Statistics page that shows the amount of infected users, the currently configured ransom price, and the bitcoin address the service will send ransom payments to. From this page the affiliate also has the ability to change their password, update the bitcoin address payments are being sent, and to specify a custom ransom amount.
Whether or not this ransomware service will go live, or simply fade away like Tox, is left to be seen. If it does go live, we will analyze the infection and post about the encryption method and any other significant information. Stay tuned.