September 20, 2012Dancho Danchev By Dancho Danchev

Managed Ransomware-as-a-Service spotted in the wild

Over the past several quarters, we’ve witnessed the rise of the so called Police Ransomware also known as Reveton.

From fully working host lock down tactics, to localization in multiple languages and impersonation of multiple international law enforcement agencies, its authors proved that they have the means and the motivation to continue developing the practice, while earning tens of thousands of fraudulently obtained funds.

What’s driving the growth of Police Ransomware? What’s the current state of this market segment? Just how easy is it to start distributing Police Ransomware and earn fraudulently obtained funds in between?

In this post, I’ll profile a recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users, and for the first time ever, offer an inside peek into its command and control interface in order to showcase the degree of automation applied by the cybercriminals behind it.

More details:

Sample underground forum advertisement of the managed DIY Police Ransomware service:

According to the advertisement, the actual malicious executable is both x32 and x64 compatible, successfully blocking system keys and other attempts to kill the malicious application. The cybercriminals behind the managed service have already managed to localize their templates in the languages of 13 prospective European countries such as Switzerland, Greece, France, Sweden, Netherlands, Italy, Poland, Belgium, Portugal, Finland, Spain, Germany, and Austria.

The price for the service? $1,000 on a monthly basis for a managed, bulletproof command and control infrastructure.

Just how sophisticated is the command and control interface? Let’s take a closer look into a sample command and control screenshots released by the cybercriminals behind the service in order to demonstrate its usefulness.

Sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:

As you can see in the attached screenshot, thousands of users are being successfully infected with the ransomware variants, with the command and control service capable of displaying statistics for the affected countries, and the operating system in use by the affected parties.

Second sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:

The managed service relies primarily on the Ukash voucher-based payment system, and the command and control interface conveniently displays the voucher codes and their monetary value, allowing the users of the service an easy way to claim the money from the vouchers.

We’ll continue monitoring the development of the DIY managed ransomware service.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button


  1. […] In this post, I’ll profile a novice cybercriminal’s approach to entering the profitable world of ransomware. […]

  2. […] And although the DIY activity cannot be compared to the malicious impact caused by “cybercrime-as-a-service” managed underground market propositions, it allows virtually anyone to enter the profitable […]

  3. […] to the needs, wants, and demands of potential customers. Utilizing basic marketing concepts such as localization, market segmentation, as well as personalization, today’s sophisticated cybercriminals would […]

  4. […] initiating a micro-payment to pay the ransom for having their PC locked down. You’ve got managed ransomware services doing it for […]

  5. […] crypting services, commercially available undetected DIY malware generating tools, as well as managed malware/ransomware services taking care of the detection process, cybercriminals are perfectly positioned to capitalize on the […]