Since May 7th, 2019, the Tor sites for the Jokeroo Ransomware as a Service (RaaS) have started displaying a notice stating that their server was seized by the Royal Thai Police in conjunction with the Dutch National Police and Europol. It turns out that this notice is fake and the RaaS is performing an exit scam.

An exit scam is when a business, criminal or otherwise, pretends to have lost access to any funds or goods due to being hacked, seized by the government, or other problem. They then tell their clients that they have no way of reimbursing them or providing their paid-for services, while quietly sneaking away with the stolen money or goods.

Exit scams are being more common as law enforcement increases pressure on illegal activities on Tor and criminal sites. Just recently, dark web marketplaces for illegal goods have tried to conduct exit scams to make off with seller's money.

When we first saw the seized notice on Jokeroo's Tor servers, we quickly grew suspicious as the notice was missing words, had unusual wording, and was more descriptive regarding why the site was seized that you normally see.

Jokeroo Site Seized Notice

The full text of this notice can be read below.

THIS HIDDEN HAS BEEN SEIZED by the Royal Thai Police in conjunction with the Dutch National Police and Europol What have you done? The police investigation focus on the criminal activities of Jokeroo and the people behind Jokeroo. Jokeroo uses the Dutch (digital) infrastructure to provide services to criminals by renting out servers from which criminal activities can be deployed such as sending spam messages and causing RANSOMWARE attacks, The takedown of Jokeroo is a coordinated effort by law enforcement agencies from Thailand and The Netherlands, Europol.

When BleepingComputer contacted law enforcement to confirm if the notice was real, "Europol confirmed that they were not involved in the case." We also contacted the other law enforcement agencies involved, but had not heard back at this time.

The Jokeroo Ransomware was a RaaS where affiliates could buy into different level of packages ranging from $90 to $600. Depending on the purchased package, affiliates would receive a greater revenue share of ransom payments and more feature in the ransomware.

Jokeroo never achieved wide distribution, but samples were detected in the wild. For example, one sample discovered by Avast researcher Jakub Kroustek impersonated the GandCrab Ransomware.

As the purchase price included lifetime access, in addition to this exit scam being used to steal money, it may also be used to get out of supporting a ransomware service that is not making much money for the developers.