A new Ransomware-as-a-Service (RaaS) portal that recently launched on the Dark Web is peddling access to a fully-working ransomware distribution network for extremely low prices.

Called Ranion, this new RaaS service was discovered by Radware security researcher Daniel Smith, who found it indexed on a Dark Web URL indexing service.

Despite claims that Ranion was created for "educational purposes only," the group behind this new service is selling access to its ransomware distribution network for prices of 0.95 Bitcoin/year ($960/year) or 0.6 Bitcoin/6 months ($605/6 months).

Ranion homepage
Ranion RaaS homepage
Ranion RaaS FAQ page
Ranion RaaS FAQ page

According to the Ranion crew, each buyer will receive access to a pre-configured ransomware payload that works on both 32-bit and 64-bit Windows PCs, but also to a backend panel hosted on the crook's Tor hidden service (.onion site).

When you will execute the Ransomware.exe it will encrypt any configured file type within PC (searching for files on C-Z HDDs) using an AES 256 key generated that will be sent to your C&C Dashboard. When finished it will create some README files on Desktop (in different languages) (already present eng, rus, ger, fra, esp, ita) and a banner message that will be executed to every Boot (providing details for payment to your Client). Our Ransomware doesn't destroy your PC by encrypting exe files. Exes files will be not encrypted unless you want to do it.

By default, the Ranion ransomware will target the following file types, but crooks said they're willing to expand the list with new extensions if customers want to target more of the user's data.

.txt, .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .ods, .jpg, .jpeg, .png, .bmp, .csv, .sql, .mdb, .db, .accdb, .sln, .php, .jsp, .asp, .aspx, .html, .htm, .xml, .psd, .cs, .java, .cpp, .cc, .cxx, .zip, .pst, .ost, .pab, .oab, .msg

The Ranion gang also claims that their ransomware is undetected by 90% of all antivirus products. Bleeping Computer wasn't able to identify a Ranion sample to test the group's claims.

Ranion RaaS doesn't take a cut from ransom payments

What's different from other RaaS services is that the Ranion group doesn't ask for a cut from the buyer's ransom fees. Usually, RaaS services ask between 20% and 60% from a ransom payment, on top of the RaaS rental fee.

Ranion's cheaper business model might attract more buyers, but many will also question if Ranion is a scam. To dispell any potential rumors that they might be secretly hijacking ransom payments, the Ranion crew is allowing buyers to test their service.

Last but not least, the rental fee also includes access to the Ranion dashboard, which will provide buyers with information such as the ID of infected computers, the workstations' usernames, and each victim's AES decryption key.

If victims pay, the Ranion RaaS provides a decrypter that "renters" can send to affected users and allow them to recover their files.

Ranion RaaS contact page
Ranion RaaS contact page

Authors of the Ranion "for educational purposes only" RaaS listed only an email address where potential buyers can get in contact.

This is also when Ranion customers will be able to customize their ransomware, as they'll have to send over details to the Ranion authors such as the Bitcoin address where victims need to pay the ransom, an email address where infected victims can reach out for support, the price victims need to pay in Bitcoins, and a optional crypter to mask the ransomware even more from antivirus scanners.

After the transaction goes through, customers will receive two links, one for their Ranion backend panel, and one where they download the ransomware binary customized with their settings, and the decrypter they can send to customers to unlock encrypted files.

RaaS portals becoming more popular

Ranion's business model lowers the entry fee into the ransomware market, and the service's ease of use makes it accessible even to non-technical users.

"Its actually kind of worrying to see how easily accessible attack services can be," Smith told Bleeping Computer yesterday.

In the past two years, RaaS services have grown in number, but usually, these are associated with ransomware families that made a name for themselves, such as the Petya+Mischa RaaS provided by the Janus Cybercrime team.

Janus Cybercrime RaaS portal
Janus Cybercrime RaaS portal