Ransomware as a Service: Who Offers Ransomware Help on the Darknet and at What Price?

Waves of ransomware trojans keep coming one after another, and their scale is only growing. Behind the scenes, there are people offering an easy way for anyone to become a hacker (and, with high probability, earn a criminal record). In this article, I’ll explain how and for how much ransomware services and software are offered on the darknet. But first, let’s look at the history of ransomware malware.

The Evolution of Digital Extortion

The first recorded ransomware epidemic happened in 1989, when Norwegian biologist Joseph Popp mailed out a floppy disk labeled as containing educational information about AIDS. In reality, the program embedded itself in AUTOEXEC.BAT, hid folders, and damaged files. On the next reboot, users saw a message asking them to “renew their OS license” by sending $189 by mail to a Panamanian account for PC Cyborg Corporation. The computer would not boot further.

The AIDS trojan used symmetric cryptography, meaning the same key was used for both encryption and decryption, so an antidote was quickly developed. Popp was soon found, declared insane, and sent for treatment. He became famous for wearing a cardboard box on his head to protect himself from radiation.

For the next sixteen years, ransomware cases remained rare, despite the growth of the internet. Everything changed in 2005 with the spread of the GPCoder malware, which used the then-advanced RSA algorithm to encrypt data. Soon after came Archievus, which only encrypted files in the “My Documents” folder. Both brought little profit to their creators, as antivirus programs easily detected and removed them.

The Vundo malware, used for Bitcoin extortion in 2009, also failed. FireEye programmers wrote a decryption script within days, leaving Vundo’s developers empty-handed.

In 2011, a new type of ransomware appeared: WinLock. Instead of encrypting data, these “lockers” blocked access to Windows and displayed a fake activation menu. Victims were told to call support or send an SMS to get a code, with the payment going straight to the extortionists. However, this business model proved unprofitable: in 2012, ransomware operators made only $5 million—a serious sum, but nothing compared to modern threats. The next year, hackers returned to classic digital extortion, using a modified version of CryptoLocker.

CryptoLocker’s main difference from Vundo was that its encrypted files were impossible to recover without a 2048-bit key, which could only be obtained online after payment. In just two months, its creators made $27 million in Bitcoin.

After the Gameover ZeuS botnet (which spread CryptoLocker) was taken down in 2014, clones like CryptoWall and TorrentLocker dominated the ransomware market. In 2016, the first Mac ransomware, KeRanger, was discovered, followed by the cross-platform Ransom32 trojan for Windows, Mac, and Linux.

May 2017 marked a new era with the WannaCry cryptoworm, which exploited the EternalBlue vulnerability in Windows, installed a backdoor, downloaded ransomware code, and quickly spread across local networks. Within a year, it infected 520,000 devices and caused $4 billion in damages. Its contemporary, Petya, used the same Windows exploit and caused over $3 billion in losses.

In 2018, users began receiving emails with the GandCrab ransomware, often disguised as love letters or romantic archives. In 2019, GandCrab’s developers retired, having made about $2 billion.

The baton was picked up by the creators of REvil (Sodinokibi), which experts believe is a direct successor to GandCrab due to code similarities. Riding the hype around WannaCry and Petya, the darknet saw the launch of Ransomware as a Service (RaaS) platforms—toolkits and platforms for carrying out attacks and collecting ransom. Most RaaS clients are amateurs looking to make quick money without programming anything themselves. Ransomware as a service is a collaboration model between malware operators and so-called “affiliates.”

Ransomware for Sale

On a major international marketplace, I found a dozen listings related to ransomware. Here they are:

1. KingLocker Source Code in Python for Windows – €99
   The vendor claims that after launching the executable, the malware connects to a control panel, downloads a key, encrypts device data, and opens a web page demanding Bitcoin ransom. I found no evidence of real-world infections. The first and only forum mention was on July 12, 2020.
2. Sodinokibi/REvil Malware – $2,000
   According to Panda Security, Sodinokibi was the most profitable ransomware in Q4 2019. It generates unique IDs and keys for each device, encrypts files, changes desktop wallpaper, and displays decryption instructions with a URL for data recovery.
3. Ransomware Source Code Pack – €15
   Includes: Skiddy ScreenLocker (Exotic trojan clone), NxRansomware (open source, GitHub 2016), HiddenTear (first open-source ransomware, GitHub 2015), MyLittleRansomware (open source, 2018), Jigsaw Ransomware (2016, named after the “Saw” doll), EDA2 Ransomware (based on EDA2 builder, fixed 0.1 BTC ransom), CryptoLocker (the classic that made US cops pay $500), Andr0id L0cker (mobile ransomware for Android), Shark Ransomware (launched as RaaS in 2016). Andr0id L0cker is the only mobile ransomware I found for sale on these markets.
4. WannaCry – $150
   The “I Wanna Cry” trojan is still active, accounting for 40.5% of detected infections in Q1 this year. However, after the 2017 epidemic, Microsoft patched the exploited vulnerability in all OS versions up to XP, so the original build can no longer install a backdoor on most computers.
5. LimeRAT Modular Trojan – €89
   A multifunctional malware for encrypting data on hard drives and USBs, installing an XMR miner, stealing crypto wallet data, and performing DDoS attacks. Spreads via Excel files and USB drives, and self-deletes if it detects a virtual machine.
6. Blackmail Bitcoin Ransomware Custom Build Source Code – $15
   A curious malware that can be used as a regular encryptor or a Bitcoin stealer. In ransomware mode, it encrypts files and demands ransom. As a stealer, it detects BTC addresses in the clipboard and modifies them, so if the victim pastes without checking, the coins go to the hacker.
7. DiamondFox Modular Malware – $1,000
   The 2017 version with updates as of March 17, 2020. Spreads only via USB drives and includes nine modules: Cookie Grabber (steals browser cookies), Botkiller (removes other malware), Video Recorder (records user activity), ransomware (auto-decrypts after payment), crypto stealer (modifies BTC, BCH, LTC, ETH, DOGE, DASH, XMR, NEO, XRP addresses), keylogger, file stealer, password stealer, and Windows bot. The ransomware module is likely open source or an outdated modification, given its low price.
8. Ransomware 2020 – $49
   No malware name given, but the seller claims it was created in 2020 and is undetectable by any antivirus. Uses AES encryption and opens a ransom note in a text file demanding cryptocurrency.
9. Blackmail Bitcoin Ransomware with Source Code – $40
   Spreads via USB and installer files downloaded from the internet. For USB drives, it can auto-launch after a set time. Comes with a user manual.
10. Source Code for Five Bitcoin Ransomware Programs – $18
    Includes modern malware and instructions for configuration and distribution. Names are kept secret, but the vendor says all are new and suitable for cryptocurrency extortion.

As usual, the Russian darknet disappointed: on Russian-language marketplaces and forums, ransomware is not sold and attack services are not offered, as platform moderators ban RaaS. It’s all drugs, carding, and data leaks.

Ransomware Turnkey Services

Currently, there are two full-fledged RaaS platforms in the dark web, designed to automate and optimize malware distribution and ransom collection. Each has a different modus operandi and terms, but both do not sell source code.

Ranion

Ranion offers a service package including:

• A Tor-based control panel for key management
• A decryptor
• An add-on for translating ransom notes and adding file extensions

To access the service, you send Bitcoin and an email with your BTC address, ransom amount, contact email, and add-on list. After payment, you receive:

• An executable ransomware file for Windows x86/x64 (AES encryption)
• A decryptor
• A link to the dark web control panel

Once launched on a victim’s computer, the malware encrypts files with 43 extensions (e.g., .txt, .docx, .jpeg, .rar), generates a key, and sends it to the control panel. The victim sees a ransom note with a crypto wallet address and contact email. If the ransom isn’t paid within seven days, the decryption key is deleted.

After receiving payment, the attacker runs the decryptor, enters the victim’s key, and selects “Decrypt My Files”—the files are automatically restored.

Features include delayed start/encryption, disabling Task Manager, changing desktop wallpaper, and tracking the device’s IP. For an extra $90, you can buy an obfuscator and a unique .onion address for the ransom note. Subscription costs: $120/month, $490/6 months, $900/year.

The developers claim 85% of antiviruses don’t detect Ranion; the remaining 15% flag it as suspicious or unwanted. Updates are sent to subscribers by email. The latest update was in September 2020. The developers claim the software is for research only, to avoid liability for illegal use.

According to VirusTotal, in 2017, 41 out of 60 antiviruses detected Ranion’s executable. The September 2020 version (v1.11) hadn’t been tested at the time of writing. Ranion doesn’t encrypt shadow copies, so data can be restored from backups. However, the unique keys prevent decryption by third-party tools.

Smaug

Launched in May 2020, Smaug positions itself as a leading RaaS project. Registration costs 0.2 BTC (about $2,137 at the time). After payment, users can create infection campaigns with two options:

• Standard (unique key per device)
• Institutional (encrypts multiple devices with one key)

Each campaign can be named, assigned a Bitcoin ransom amount, a custom message for victims, and a deadline. You select the OS (Windows, Linux, or macOS), click “Create,” and download the ransomware executable.

The malware encrypts files and opens a text document with a link to the Smaug portal. The service provides a decryption key after payment, but allows one file to be decrypted for free as a test. Smaug takes a 20% commission on all transactions and automatically credits Bitcoin to the affiliate’s wallet. The platform tracks campaign stats: total payouts, number of visitors, and payments.

The malware only encrypts data on the hard drive and does not self-propagate across local networks, reducing the chance of antivirus detection. Smaug’s developers prohibit attacks in CIS countries and have promoted the service on Russian-language darknet forums, suggesting the creators are from the region. Despite high fees and registration costs, the server is unstable and often goes offline—possibly due to poor support or DDoS attacks from competitors.

In September, VirusTotal tested Smaug: 44 out of 67 antiviruses detected it. The malware deletes original files after encryption and generates unique keys, so decryption tools don’t work. Victims wanting to recover their data have no choice but to pay. However, Smaug does not delete backups or shadow copies, so having a backup is the best protection.

Conclusion

Becoming a low-level player in the cybercrime pyramid is easier than ever, with malware prices starting at just $15. But it’s clear why ransomware developers prefer to sell their creations as subscriptions, like Office 365 or Adobe CS, rather than use them themselves. Get in line, and you’re guaranteed to be the fall guy.