RaaS is a new beast in a wonderful new world

When you read news from the world of the invisible war of Internet ransomware with the owners of wealth,

surprised at the progress of the first and traditionalthe volatility of the latter, fluctuating in their moods from complete apathy to polite indifference to their own safety. The extortion scheme itself boils down to three simple ways. The first method is of no interest to us, since it consists in pleas from a conditionally wounded / sick / kidnapped (etc.) directed to an Internet user. Exactly the same process takes place between two people as on the street or near a metro station (I haven’t seen it for a long time, but maybe it’s left somewhere), i.e. the swindler puts pressure on pity and receives "alms". The other two methods are of particular interest to us, as they are directly related to the software of our favorite smartphones, tablets, laptops and desktop computers. For example, you recklessly store your bank account number and mobile banking password on a personal device. To get your money, a scammer needs to infect your device with a virus of one kind or another, giving access to the file system and the rights to send the received information over the Internet to a gangster lair. Various methods are used to introduce the virus.

In one case, the device is infectedthrough pirated software (the same Photoshop or a new game downloaded from torrent trackers), in another you receive an email from a “trusted source” (for example, from a bank, which says that you are doing something won), very similar to the present. Such letters necessarily contain attachments in the form of documents, archives, allegedly PDF pages, and the like. It is important to remember the main thing - do not open attachments, but it is better to delete the entire suspicious email at once. The third method is perhaps the most risky for a fraudster, although the most primitive. We are talking about extortion after the virus blocked the laptop desktop, the command line, or even transferred all the data from the device to the thieves' server, deleting the original sources. This method has received maximum development in recent years, which was based on the main growth stimulator - the emergence of cryptocurrency, the movement of which is very difficult to track and which is not affected by the vigilant eye of banking security services. Below, in order, is my version of ransomware evolution, with which you may not agree, but there is a discussion below.

First exploits

The first ransomware banners appeared at the end1990s, at a time when the Internet was still a luxury item and was sold “by coupons” (DSL connection was for a fixed time, distribution was realized in the form of sales of plastic cards with a code), and its happy owners were proud of speeds of about 64-128 Kbps /With. The lack of internet did not stop the scammers. Mobile communications (SMS) and artistry were used as crime weapons. Potential victims were given free virus on floppy disks under the guise of "Information on AIDS" on behalf of a fictitious international organization, during the "advertising campaign" of some perfume, and so on. Peddlers of the software virus met on the St. Petersburg "Juno", on the Moscow "Gorbushka", in electric trains and the metro. Smart people took floppy disks with pleasure and formatted them without reading them, it was a valuable thing in those days. Inexperienced users inserted a floppy disk into the drive, opened the contents and saw a certain program called “Learn all about AIDS”, “Lipstick discounts” or “Lose weight with us”, after installing which and the first reboot of the PC, a ransomware banner appeared.

A typical banner from an early era of development. Approximately 2005, artist unknown.

In some ways, the scammers were right, losing weight is quitecould follow, because in the late 90s you could live for a week on 500 rubles. However, these were the very first exploits in history to benefit the underworld.


Affiliate material

Reality and prospects of the IT professions market

What professions are the most popular and highly paid?

Saturday coffee #224

Pour a cup of invigorating Saturday coffee andcheck out the news of the week. Xiaomi introduced new smartphones and a laptop, the Evolute electric car went on sale, Apple moves to USB-C, and Netflix will show Sonic ...

Haval H5 test. Chinese UAZ

Frame SUV Haval H5 is not new to our market, earlier in Russia it was presented as Great Wall Hover H5, later as DW Hower H5.

Review of e-book PocketBook 617

A budget reader from PocketBook in a classic style: without a touch screen, with a closed OS, but very light and fits in a jeans pocket.

Trojan.Winlock and Co

The first viruses blocking the operating systemgave birth to many clones, each of which developed along its own path, moving further and further away from its parents. Only one thing has remained unchanged - the desire to block the system and tell the user where and how much to pay for "unblocking". Viruses began to spread using the Internet, and their mass accumulation was found on sites "for adults", apparently for psychological reasons. It is easier to convince the victim to pay if she feels guilty herself. The mechanism for introducing the virus has not changed, the user still had to download and install some program himself, but they were lured quite clumsily, from “You are the 100500th visitor to the site, click here, download and run the program with a password” to “Free premium subscription for a month". Experienced users blacklisted the site and moved on, inexperienced users ended up with the same banner.

Trojan and banner specially designed for Britain and the surrounding area. The explorer application is blocked, as is everything else, including the command line.

Evolution has undergone not only the code of the virus, but alsothe psychology of scammers. Another psychological trick was added, with the help of which the scammers convinced the victim that the virus was not a virus at all. What to do, the most naive suffer first of all.

A truly massive threat of Trojans and theirrelatives began in the winter of 2009-2010, when it was literally impossible to access the Internet and not “get informed” or “win” something. The scammers offered to transfer money using a revolutionary and relatively verified method for that time - via SMS sent to a short number. You probably remember that mess when almost all mobile operators rented out short numbers to everyone in a row, creating fertile ground for the growth of crime. Speaking about the economy of Internet gangs, one curious fact can be noticed - the appetites of the latter have been falling year by year. The reasons for this phenomenon are very simple and lie in the growth of the population, excuse me, the number of Internet users. The extortionists seem to have decided to take less, but more often than less, but more. The payoff amount varied from 20 to 300 rubles. Moreover, the very first versions of the Trojan self-destructed from the device if the user was inactive for several days. Because of the criminals' fear of being caught, of course. In modern versions of the Trojan, there is no self-destruction mechanism; it disappeared due to the appearance of a channel for transferring funds, safe for fraudsters, in the form of cryptocurrency transactions.

The Petya Trojan requires Bitcoins.

A prime example of modern malwareis the well-known Trojan Petya, in the distribution of which the US State Department tried to accuse the Russian Federation (all). “Petya” prefers bitcoins, which makes it infinitely more difficult to catch him. Other actions of the Trojan also involuntarily deserve respect, "Petya" rewrote and encrypted MBR data (boot sector), encrypted all files on the device. The latest version of Petya from 2017 (named NotPetya) does the same thing but is tougher, even after the ransom, the trojan deletes all files from the computer. So it is better to prepare a bootable USB flash drive with the operating system and data recovery software in advance, or store important information on an external HDD / SSD. Friends, write in the comments what should have happened to a person so that he would hate everyone else so much? Maybe he was raped by ugly women? Or was he in the last stage of manic-depressive psychosis?

The activity of ransomware viruses on PC andsmartphones differ fundamentally in only one thing - the smartphone has a SIM card, with the help of which the virus can replenish other people's wallets more quickly and efficiently, often even unnoticed by the owner. Most fraudulent schemes are implemented in two stages, if you exclude the option of clicking on links in the body of an untrusted site. The first step is to download and run an application (usually a fake for a popular application, such as a game), which convinces you to follow the link:

The logical result of rash user actions

At the second stage, the virus itself is downloaded and launched. The image above is taken from the excellent guide of the Russian division of Samsung, which I recommend to everyone who is interested.

Be that as it may, the era of Trojans is coming to an end, thanks to the joint efforts of search engines and operating system authors, but a new threat has appeared on the horizon.


Finally reached various kinds of extortionistsone simple idea, which is in a simple equation. On one side of this equation is a ransomware (he is also the author of the malicious code), and on the other side - from 2 years in prison to life imprisonment for some pathetic 2 rubles stolen over the network (depending on local jurisdiction). This equation has two "problems": low returns and the risk for the hacker himself to be caught. The “problem” of low incomes was solved by criminals by switching from automatic distribution of viruses (in letters and software) to an attack on a specific individual or legal entity. The "problem" of the security of the authors of the code was solved in an absolutely wild way, making you remember stories about an alternative future of humanity in the style of cyberpunk. Ransomware began to offer a kind of rent to everyone, and in exceptional cases with a potentially large profit - only to scammers with a positive history in the underworld and mandatory technical training. You didn’t read it, starting in 2020, a new type of criminal activity, which can be called “hacking by subscription” or “hacking for interest”, brings more and more income to affiliates.

So, only in 2022 the damage from targeted attacks oncompanies amounted to tens of millions of dollars. This statistic does not include income from breakout payments, which were made by individuals with really dirty tendencies, and should probably be doubled or tripled. It's really hard to imagine, but sites appeared on the Darknet that play the role of "central offices", where anyone who wants to become a hacker can register, then open their own subsidiary office and resell hacking tools (the official name in the Interpol database is "RaaS kits") further ending with performers. The issue of the security of the "central office" is ensured by the storage of all contact information of the "junior office", including the personal data of the "director" of this "junior office". If a cybercop tries to unwind this tangle, he will run into a complete reluctance to share information of a junior level, who would prefer to go to jail for 10 years, but not allow the police to receive the entire dossier on their sins from the "central office" and go to prison for 20 years, otherwise and for life. Yes, now, in order to become a member of the mafia, it is not necessary to kill an innocent with a rusty revolver on camera, but this does not change the essence, mutual responsibility also applies here.

The world has changed once again, and almost any villain can become a criminal "hacker", regardless of skills and education. It scares.


Some names of large RaaS gangs (they are"central offices" with a total number of "employees" of 100 people and above) are already known, for example, LockBit, BlackBasta and AvosLocker, but this does not help to catch and imprison them. And no one seems to understand how this can be done. In this story, there is little that pleases - the target of the crime is unlikely to be a single average family, and companies can insure themselves if they conduct honest business.

The criminal community on the Internet is evolvingfollowing the social evolution of the rest of society. Frenzied extortion turns into a kind of business, receiving the ideology and types of relations of "allied" accepted in the outside world. Will it ever come to the point that one fraudster will give another to sign a "certificate of work done" or an extended warranty? Indeed, it would be interesting for Dr. Moriarty to live in our time, it remains only to raise a sufficient number of Greg Lestrades. Until then, it remains to rely on common sense and antivirus programs, which a priori begin to fight a new virus only after it has infected a number of devices sufficient for some kind of “public outcry”.