The latest Ransomware as a Service (RaaS) went mainstream last week according to a report in Bleeping Computer. The Russian cybercriminals behind the Petya and Mischa ransomware started an aggressive campaign to attract new distributors.
There are several interesting twists to this campaign. It starts with paying a small amount to register in order to, as Bleeping Computer says “discourage timewasters and kiddies.” The amount is small enough that most would expect to recover it in their first campaign. Having been accepted the benefits are substantial as the table below shows.
| Volume/Week | Share | Earnings (£) |
| <5 BTC | 25% | 468.84 |
| <25 BTC | 50% | 5,626.08 |
| <125 BTC | 75% | 43,602.12 |
| >= 125 BTC | 85% | 49,814.25 |
As of August 1, 2016 XE.com values a Bitcoin at £468.84. For those on the top scale of over 125 BTC this translates into big money and is likely to attract a lot of attention. Even at the bottom end the amount of money is just under the UK average salary. At the top end it would be the equivalent of running a large multinational company.
A new and improved Petya
Back in April it transpired that the authors behind Petya had been lazy in their coding. This allowed companies such as Kaspersky to write a utility that decrypted Petya files. This latest version, with Mischa throw in for good measure is a much nastier beast. The encryption has been hardened and the inclusion of Mischa makes it easier to infect computers.
Getting rid of the competition
This campaign comes just a day after Malwarebytes reported that the Petya developers had leaked the keys to the Chimera ransomware. It turns out that they had hacked into the Chimera network and even stolen some of the code. In order to remove it as a competitor they have now leaked 3,500 different keys online. This will enable security companies to help unlock the files of Chimera’s victims.
This approach is an interesting twist in the battle to control the very lucrative ransomware market. It could be the start of an internal war between criminal gangs or something more interesting. In this case we are seeing a war between Russian and Chinese cyber gangs. How long before the team behind Chimera hits back at Petya and Mischa.
For distributors who have already established their networks to find victims this creates an interesting problem. Do they shift allegiances as the power struggles continue? What if their details are leaked and they become victims of revenge by their former employers?
Conclusion
This latest move in the RaaS market is interesting. It certainly puts an end to the “crime doesn’t pay” approach because in this case it pays big time.
[…] is highly profitable. The ransomware owners are so confident of their revenue stream that they have reward programmes for distributors. A successful distributor bringing in > 125 Bitcoins per week gets to keep around 85% of the […]
[…] in August, website Bleeping Computer reported both the Petya and Mischa ransomware looking for distributors. It offered distributors a Ransomware as a Service (RaaS) approach. This meant that the more […]