Recently, security researchers revealed a dark website advertising its ransomware-related products and services. The name of the website is “Hall of Ransom” and it can be reached through the Tor network.
Hall of Ransom sells the famous Locky ransomware for $3,000. This ransomware infiltrates the system through a malicious macro in Microsoft Word document sent as email attachments to its victims. The latest casualties of Locky include the Methodist Hospital in Kentucky and the Hollywood Presbyterian Medical Center which paid a ransom of 40 bitcoins (around $17,000) to decrypt its files. Last Friday, Locky ransomware was estimated to have had 90,000 infections daily.
The dark website is also selling an uncopiable ‘USB key’ for $1,200 which can supposedly decrypt the files encrypted by Locky on infected Linux and Windows-based computers. What users should do in such cases is to insert the USB into the affected machine for the program to automatically launch itself and uninstall the malware.
The new new generation ransomware called “Goliath” is another malware sold on the Hall of Ransom website. The price of Goliath is $2,100. Its source code is said to be derived from Locky’s, and it is provided to beginners who are just starting to venture into cybercrime.
The Hall of Ransom is advertising Goliath by promising a high infection rate and an ability which enables attackers to download, lock and unlock the content of the infected machines in one click.
The further probe of the research showed a possible link to another variant of ransomware named Jigsaw, which was referenced in the site’s HTML source code.
The other ransomware which got considerable attention is Jigsaw due to its capability to incrementally delete files from the infected computer for every hour that the ransom, which also increases, is not paid.
Considering the benefits which hackers get when they host their infrastructure and advertise their products on anonymizing services such as the Tor network using, trading malware is not surprising at all. In fact, ransomware is usually seen as an attractive option given its promise of a quick ROI, thus it is growing into business model.
Ransomware variants like Mischa, Petya, Cerber, and ORX-Locker for example, are known to be offered as ransom-as-aservice products on deep web marketplaces, where affiliates distribute the ransomware while developers earn commissions for every paid ransom.
For instance, Tox ransomware was offered to hackers for free as a customizable toolkit, with 30% of the income going to the developer. The newly-offered Goliath ransomware is said to require the use of a virtual private network (VPN) and can only affect machines running Windows OS.