Several security researchers have spotted a new Ransomware-as-a-Service (RaaS) portal over the weekend that lets anyone generate their own ransomware executable just by filling in three form fields and pressing a button.

The entry level for this new ransomware is hilariously low, compared to similar RaaS portals we've seen in the past.

The ransomware generated through this service is written in Go. We've called it Shifr based on the extension it adds to encrypted files, but G Data security researcher Karsten Hahn has told Bleeping Computer that an initial analysis of this new threat reveals clues that Shifr might be related to Trojan.Encoder.6491, the first ever ransomware written in Go, discovered last year by Dr.Web security researchers.

Shifr offered through RaaS portal on the Dark Web

To obtain a copy of this ransomware, you need to visit a website on the Dark Web and have your Bitcoin address nearby.

A potential customer needs to enter this Bitcoin address, and the size of the ransom demand Shifr should ask from victims. After this, all that's left is for the user to solve a mundane CAPTCHA challenge and press a button.

Shifr RaaS payload builder Shifr RaaS payload download page

While other RaaS portals will ask for an entry fee or verify their clients to ensure only skilled crooks (and not security researchers) get their hands on ransomware samples, this service offers a fully weaponized sample in a few easy steps.

Because of this openness and lack of secrecy, VirusTotal was filled with Shifr samples in a matter of days, bringing this new threat to the attention of several antivirus makers, many of whom are now detecting this new threat.

Shifr will take a small 10% cut. May be a scam.

In addition to the lack of stealth, this service is also different from other RaaS services because it's asking for a very low cut, attempting to compensate for the ransomware's lack of features.

While the Cerber RaaS service asks for a whopping 60% share, the Shifr operator only asks for a lowly 10%, clearly aiming at two classes of crooks: the greedy and the very greedy.

Initially, because of its lowly 10% cut, we thought Shifr might be packed with a RAT or infostealer that would infect wannabe and inexperienced ransomware distributors, and steal any funds or tools they might have on their computers. No such luck, unfortunately, and the ransomware turned out to be nothing special at all.

Nonetheless, Shifr may also be a scam. RaaS portals work on the premise a distributor infects victims, who pay the ransom demand to the RaaS owner Bitcoin address, who then redirects the payment to the distributor while keeping his cut.

By playing on some people's greed, Shifr may be a scam designed to keep ransom payments without paying distributors their cuts. Distributors would flock to the service enticed by its low cut only to find out the Shifr author kept all the money.

Shifr is a work-in-progress

The ransomware's lack of sophistication can also be seen in its simplistic ransom note, which only contains two rows, with a link to its ransom payment page.

In our tests, this link wasn't even working, and we deduced the payment site's actual location based on other information.

The payment site is where users will find the Bitcoin address where they have to send funds and a link to the decrypter that will unlock their files.

The root URL of this payment site is also the RaaS homepage, which could mean the crooks couldn't afford enough machines to separate his payment and RaaS portal over multiple servers.

The rise and simplification of RaaS offerings

Overall, Shifr was one of the easiest to use RaaS portals that Bleeping Computer has encountered in the past year. The trend for RaaS seems to be going away from secluded communities and secret forums to open websites providing anyone with access.

In a report released today that details ransomware evolution in the past year, Kaspersky Labs experts also saw a similar rise and proliferation of RaaS portals.

Kaspersky also noted a rise of 11.4% in the number of ransomware victims from April 2016 and March 2017, compared to the previous year.

IOCs:

SHA256 hash:

3c7d5bb131b98340ebe18f5d7f8ba289e8b91e017bf9d9ff8270e87a996d334d

Ransomware file name:

HOW_TO_DECRYPT_FILES.html

Ransom note text:

Your files have been encrypted. To decrypt your files, follow instructions here.

Network requests:

http://[REDACTED].onion/decrypt/f2f6d2aa-06e0-43f9-9ebd-853af768e29e https://[REDACTED].onion.to/new_c/

Encrypted extension:

.shifr

Targeted file extensions: