Saturn RaaS homepage

The authors of the newly-discovered Saturn ransomware are allowing anyone to become a ransomware distributor for free via a newly launched Ransomware-as-a-Service (RaaS) affiliate program.

The entire idea of this new RaaS portal is to allow easy access to a weaponized version of the new Saturn ransomware.

All that wannabe ransomware distributors have to do is to sign up on this new portal hosted on the Dark Web, get a copy of the Saturn ransomware, and start spreading it around.

Other previous RaaS portals that Bleeping Computer has analyzed in the past usually required users to pay an upfront sum before accessing a weaponized version of the ransomware binary. The Saturn RaaS is taking a whole new approach to the RaaS business model by putting the weaponized ransomware binary into anyone's hands from the get-go, with no upfront money.

Affiliates stand to make 70% of the ransom payments

Users who generate one such file —called stub in the Saturn RaaS interface— must then embed it into other files such as EXEs, Office, PDF, or other documents. These files are then sent to users as part of spam email or malvertising campaigns, the two most common ransomware distribution methods.

Victims who get infected will have to pay decryption fees on the Saturn payment portal located at su34pwhpcafeiztt.onion. This money goes to the main Bitcoin account of the Saturn ransomware authors.

But if the file that infected the victim was generated on the RaaS portal, the user who generated the file and spread it to the victim will receive 70% of the total payment, while the Saturn creators keep 30%.

After signing up, login to your account, create new virus and download it. With this virus you just created, you are ready to start infecting people. Now, you the important part, you 70% of the bitcoin paid by victim will be credited to your account, as example, if you have specified $300 as a ransom, you will get $210 we will get $90.

Saturn's 70%-30% payment scheme is on par with the Cerber RaaS payment scheme, one of today's largest ransomware operations.

The Saturn RaaS is currently open for registration and has already cropped up in Dark Web URL scanners and directories. Your reporter has signed up for an account on the Saturn RaaS. Below are screenshots of the portal's current GUI and features:

Saturn RaaS dashboard

Saturn RaaS chat

Saturn RaaS stub builder

Saturn RaaS withdrawl

Bleeping Computer analyzed the Saturn ransomware last Friday in an article that our readers can view here. The ransomware is under active distribution.

Hash for a sample stub file obtained from the Saturn RaaS:


GandCrab also offered via an RaaS

Another ransomware seeing heavy distribution is the GandCrab ransomware. This strain, too, is offered in a RaaS-like scheme.

Peruvian security researcher David Montenegro has discovered that GandCrab is peddled on an infamous cybercrime forum for Russian-speaking users.

Thx for Saturn RaaS tip from yotoprules.

Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

Free Decrypter Available for the Latest GandCrab Ransomware Versions

New FilesLocker Ransomware Offered as a Ransomware as a Service