A new Ransomware as a Service, or RaaS, called the Cryptolocker Service is getting ready to launch that would allow any would-be criminal to enter the ransomware game.  This new RaaS, first seen by Steve Ragan, is being created by a development group called the Fakben Team and allows an affiliate to buy into the program for $50 USD.  Once an affiliate pays the signup fee, they will supposedly be given access to the ransomware executable, which is then their responsibility to distribute as they see fit.  An affiliate also has the ability to configure a custom ransom amount.  The Fakben Team will then take 10% of the total ransom as a commission for the affiliate using their service and send the rest to the affiliate's configured bitcoin address.

When a visitor goes to the Cryptolocker Service site they will be presented with an about page that contains information about the RaaS offering and how users can signup to use it. The content of this page explains how the service works, what the affiliate's responsibilities will be, and how much it costs to be part of the program. An interesting portion of text highlights how these malware developers look at what they are doing.

We will keep on working in the settings of the cryptolocker, improving methods for undetection to AV. We will give all the support that costumers need through Jabber service. Is not our interest who will be infected or which kind of methods you will do, is important for you to use brain and intelligence in order to spread it. Thanks for your attention.


One of the common questions we receive from victims is how could someone do something like this to them. The reality is that these developers look at it as a business, do not care that they are breaking the law, and for the most part have absolutely no regard for the problems they are causing their victim.

The full text of the about page can be seen in the screenshot below, which can be clicked on to see the full size.

Cryptolocker Service About Page
Cryptolocker Service About Page

The Cryptolocker Service site also includes a news feed page that contains the latest news from the developers.  The latest news is from November 12, 2015 that states that the service will be available in the next few days.

Cryptolocker Service News Feed
Cryptolocker Service News Feed


When a visitor signs up for the service they will be required to enter a login name, password, and bitcoin address that their ransomware payments will be sent to. Once they are registered, they can login and view their Statistics page that shows the amount of infected users, the currently configured ransom price, and the bitcoin address the service will send ransom payments to.  From this page the affiliate also has the ability to change their password, update the bitcoin address payments are being sent, and to specify a custom ransom amount.


Cryptolocker Service Statistics Screen for a Registered Affiliate
Cryptolocker Service Statistics Screen for a Registered Affiliate


Whether or not this ransomware service will go live, or simply fade away like Tox, is left to be seen. If it does go live, we will analyze the infection and post about the encryption method and any other significant information. Stay tuned.

Related Articles:

Princess Evolution Ransomware is a RaaS With a Slick Payment Site

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

Gamma, Bkp, & Monro Dharma Ransomware Variants Released in One Week

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows