Intel Security scares ransomware script kiddie out of business

Coder named Tox set up a ransomware franchising business, but fear of legal reprisals forced him to shut it down.

It was a textbook and criminal - software as a service: Grant access to a software kit that makes it easy to lock up the hard drives on victims' PCs, then skim 20% of the take from those who actually use the kit to extort payments.

The scheme experienced meteoric growth in just days, but once it became public knowledge its architect couldn't stand the threat of legal problems and is now backing off which wasn't the original plan at all.

"Plan A was to stay quiet and hidden," the coder wrote yesterday on the Tox malware site buried deep behind the onion router (Tor) network. But Plan A was overturned by researchers at Intel Security who found the site and wrote about it just four days after it was set up.

"It's been funny, I felt alive, more than ever, but I don't want to be a criminal. The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I'm not a team of hard core hackers. I'm just a teenager student." The message is signed "Tox".

Still, Tox wants to fulfill his/her commitment to the customers who downloaded the malware and still hope to cash in on the illegal profits. "I'm asking my users to be patient," Tox writes, "I'm not going to scam you. In a few days I'll ask you a bitcoin address in the case somebody pays some of your ransoms. I'll forward you your part."

Tox is also trying to sell the entire criminal enterprise, but if there are no takers, plans to shut it down entirely. "If nobody's going to buy the database, in one month I'm releasing the keys, and victims will have their files automatically unlocked."

The Tox kit makes it simple to run a ransomware scam. The malware encrypts victim's machines, demands payment in bitcoins for the decryption keys, explains to victims how to pay with bitcoins, collects the ransom, sends the decryption keys, siphons off Tox's 20% and deposits the rest in the bitcoin account of the franchisee.

Criminals using the service have to find their own ways to compromise the machines they infect with Tox.

The kit is pretty good at hiding from security platforms, blogs Jim Walter, director of advanced threat research for Intel Security. "Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware's targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this," he writes.

Despite that, he doesn't give the software high marks for technical elegance. "Although easy to use and functional, the malware appears to lack complexity and efficiency within the code," Walter writes.

Tox downloads cURL, a tool that sends and retrieves files using URL syntax, as well as the Tor client.

The creator of Tox blames Walter's blog for forcing him/her out of business.

"Even before the website was ready to host users," Tox writes, "the McAfee blog was featuring the article about this platform. Then the number of the users started growing. From 20 to 50, from 50 to 100, it was doubling every day. Infections, with a little delay, started growing too. In just one week, the platform counted over one thousand users and over one thousand infections, with an average of more than two hundreds of polling viruses per half-hour."

Tox doesn't show any remorse in the posting that announces his plans to shut down. In fact, Tox boasts about the ingenuity it took to create the kit, and admires the selflessness of other hackers he met in chatrooms who helped him test his malware.

"In these days, in the chat," Tox writes, "people helped me testing and debugging the virus, but the most interesting part is that they suggested [to] me how to improve it. I don't think that such a great brainstorming has ever happened in the process of designing a virus. Users were spurred to help me improving the platform, for their own good."

"Some have said I think out of the box, others said I'm a kid who just developed the worst ransomware ever. I think that both opinions may be true, but one thing is objectively true: with Tox, I opened a door for a whole new way of thinking. I'm sure that others will try to replicate what I did. Not just for bad reasons, maybe somebody (maybe myself?) will find out how to do something good based on all this."

Despite the braggadocio, Intel's Walter rates the skill level required to produce Tox at a three or four out of 10, but it is a notable step in the evolution of ransomware. "Tox is lowering the skills barrier' and making these ransomware capabilities available to a broader community of prospective ransomware cybercriminals," he says in an email.

Tox's take: "[I]f I really was a team of hard core hackers, with time and resources, this would have become one the greatest viruses ever."

This may be the first franchise model for ransomware, and it likely will inspire copycats, Walter writes. "We don't expect Tox to be the last malware to embrace this model," he says. "We also anticipate more skilled development and variations in encryption and evasion techniques."

Join the CSO newsletter!

Error: Please check your email address.

Tags Intel securitysecuritylegalintelcybercrime

More about Intel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place