Threat actors behind Smaug ransomware are advertising their RasS platform on the Dark Web forum
Smaug RaaS makes it easy for threat actors to use ransomware to achieve their objectives
Researchers from Anomali Threat Research have come up with new details of the cyber criminals behind the Smaug Ransomware-as-a-Service (RaaS), saying the actors have been advertising their platform on a Russian language Dark Web forum.
Ransomware has turned into a big business in recent years, according to researchers. There is a lot of money in ransomware threat space, which has rapidly expanded from the start of the decade.
Smaug RaaS is a particularly attractive option for cybercriminals who want to enter the ransomware space but don't have skills or abilities to develop a sophisticated ransomware for cyber campaigns.
Smaug RaaS is likely managed by at least two threat actors, according to researchers. On 5th May 2020, one of the group members, named 'corinda', posted a message on 'Exploit.in' forum, providing details of the various features of Smaug RaaS platform.
Corinda's post also included screenshots of the Smaug user interface as well as details of how users could avail of the service.
According to researchers, Smaug RaaS platform has been designed with ease of use in mind.
After users fill and submit a registration form, they are directed to pay a one-time fee of 0.2 BTC (approximately $1,900) to a particular Bitcoin wallet. A subsequent service fee of 20 per cent is also charged for each ransom payment received from victims.
The Smaug dashboard appears as a clean, easy-to use online panel.
To launch a ransomware attack, threat actors need to create a campaign and submit details of expiration dates and custom ransom messages. After that, they can download relevant payload for the system that they intend to attack (Windows, Mac or Linux) and start distributing the malware.
The dashboard takes care of decryption key purchasing and tracking for victims. User can also track the profits they have accumulated through their campaigns.
A campaign ends as soon as the expiration date set by the user has passed, following which, victims have no chance to recover their files.
After a ransom is paid, the user can withdraw money though the 'Withdrawal' page. The page shows the current balance for the user (after withholding 20 per cent fee), and allows them to submit a withdrawal request to a specified BTC wallet.
Interestingly, the Smaug RaaS operators don't allow users to target people or companies based in CIS countries, including Russia, Armenia, Kazakhstan, Moldova, Belarus, Azerbaijan, Tajikistan, Uzbekistan and Kyrgyzstan.