Authored by: Joakim Kennedy and Rory Gould
Anomali ThreatStream customers can find Indicators of Compromise (IOCs), signatures, and more information about this threat here.
Introduction
Threat actors and cybercriminals that don’t have the ability to develop their own ransomware for malicious campaigns can turn to the Smaug Ransomware as a Service (RaaS) offering, which is available via a Dark Web Onion site. At least two threat actors are operating the site, providing ransomware that can be used to target Windows, macOS, and Linux machines. The site is built with ease of use in mind. To launch an attack, threat actors simply need to sign up, create a campaign, and then start distributing the malware. The site also handles decryption key purchasing and tracking for victims.
Threat Actor
The Smaug RaaS appears to be operated by one to two threat actors that are both active on the criminal underground. One of the threat actor’s online handles on the forums has been identified. The second operator still is unknown.
Forum Activity
On May 5, 2020, an actor named corinda posted on the ‘Exploit.in’ forum advertising a new RaaS dubbed ‘Smaug.’ The post (figure 1.) showcased Smaug’s features and included screenshots of the Smaug UI, this is detailed in the Panel section below. The post also directed users as to how they could avail of the service: contacting [email protected] with a registration fee of 0.2 BTC (appx $1,900 (USD) at time of posting) and subsequent service fees of 20%. The actor was willing to waive the registration fee for the first five users who could demonstrate their skills with the product; this was likely to garner reputation on the forum give ..
Support the originator by clicking the read the rest link below.
