Jokeroo RaaS Prepares to Take a Piece of GandCrab “Business”

Delaware, USA – March 6, 2019 – The new Ransomware-as-a-Service platform prepares to enter the game and is actively promoted both on the Darknet forums and through social networks. Initially, the attackers behind Jokeroo ransomware tried to present their creation as the newest version of GandCrab but soon abandoned this tactic. The platform is hidden in the Tor network, and attackers offer several levels of “subscription” to their service. The minimum price is $90 and 15% of ransom payments; under such conditions, subscribers are able to construct one ransomware sample, which, in addition to encrypting files, will collect information about the victim’s system, display a list of encrypted files and IP address. The following levels offer more options for customizing the Jokeroo strain and allow attackers not to pay a fee to malware authors. So far, there is no reliable information about the victims of this ransomware in the wild, but the emergence of the new RaaS platform will surely interest many cybercriminals who massively distribute malware via malvertising campaigns or exploit kits.

It should be noted that at the end of February a new build of CryptoMix ransomware was spotted in the wild by MalwareHunterTeam. Judging by the ransom note, its authors are going to add the capability of spreading CryptoMix throughout the network for more effective attacks against organizations. Despite the fact that last year the total number of active ransomware families decreased, the number of attacks on organizations increased by almost a third. To detect such attacks at early stages, you can use the Ransomware Hunter rule pack: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight
You can also use DetectTor to find all connections to the anonymity network: https://my.socprime.com/en/integrations/detecttor-arcsight