It was a textbook – and criminal - software as a service: Grant access to a software kit that makes it easy to lock up the hard drives on victims’ PCs, then skim 20% of the take from those who actually use the kit to extort payments.
The scheme experienced meteoric growth in just days, but once it became public knowledge its architect couldn’t stand the threat of legal problems and is now backing off – which wasn’t the original plan at all.
“Plan A was to stay quiet and hidden,” the coder wrote yesterday on the Tox malware site buried deep behind the onion router (Tor) network. But Plan A was overturned by researchers at Intel Security who found the site and wrote about it just four days after it was set up.
“It's been funny, I felt alive, more than ever, but I don't want to be a criminal. The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I'm not a team of hard core hackers. I’m just a teenager student.” The message is signed “Tox”.
Still, Tox wants to fulfill his/her commitment to the customers who downloaded the malware and still hope to cash in on the illegal profits. “I'm asking my users to be patient,” Tox writes, “I'm not going to scam you. In a few days I'll ask you a bitcoin address in the case somebody pays some of your ransoms. I'll forward you your part.”
Tox is also trying to sell the entire criminal enterprise, but if there are no takers, plans to shut it down entirely. “If nobody's going to buy the database, in one month I'm releasing the keys, and victims will have their files automatically unlocked.”
The Tox kit makes it simple to run a ransomware scam. The malware encrypts victim’s machines, demands payment in bitcoins for the decryption keys, explains to victims how to pay with bitcoins, collects the ransom, sends the decryption keys, siphons off Tox’s 20% and deposits the rest in the bitcoin account of the franchisee.
Criminals using the service have to find their own ways to compromise the machines they infect with Tox.
The kit is pretty good at hiding from security platforms, blogs Jim Walter, director of advanced threat research for Intel Security. “Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this,” he writes.
Despite that, he doesn’t give the software high marks for technical elegance. “Although easy to use and functional, the malware appears to lack complexity and efficiency within the code,” Walter writes.
Tox downloads cURL, a tool that sends and retrieves files using URL syntax, as well as the Tor client.
The creator of Tox blames Walter’s blog for forcing him/her out of business.
“Even before the website was ready to host users,” Tox writes, “the McAfee blog was featuring the article about this platform. Then the number of the users started growing. From 20 to 50, from 50 to 100, it was doubling every day. Infections, with a little delay, started growing too. In just one week, the platform counted over one thousand users and over one thousand infections, with an average of more than two hundreds of polling viruses per half-hour.”
Tox doesn’t show any remorse in the posting that announces his plans to shut down. In fact, Tox boasts about the ingenuity it took to create the kit, and admires the selflessness of other hackers he met in chatrooms who helped him test his malware.
“In these days, in the chat,” Tox writes, “people helped me testing and debugging the virus, but the most interesting part is that they suggested [to] me how to improve it. I don't think that such a great brainstorming has ever happened in the process of designing a virus. Users were spurred to help me improving the platform, for their own good.”
“Some have said I think out of the box, others said I'm a kid who just developed the worst ransomware ever. I think that both opinions may be true, but one thing is objectively true: with Tox, I opened a door for a whole new way of thinking. I'm sure that others will try to replicate what I did. Not just for bad reasons, maybe somebody (maybe myself?) will find out how to do something good based on all this.”
Despite the braggadocio, Intel’s Walter rates the skill level required to produce Tox at a three or four out of 10, but it is a notable step in the evolution of ransomware. “Tox is lowering the ‘skills barrier’ and making these ransomware capabilities available to a broader community of prospective ransomware cybercriminals,” he says in an email.
Tox’s take: “[I]f I really was a team of hard core hackers, with time and resources, this would have become one the greatest viruses ever.”
This may be the first franchise model for ransomware, and it likely will inspire copycats, Walter writes. “We don’t expect Tox to be the last malware to embrace this model,” he says. “We also anticipate more skilled development and variations in encryption and evasion techniques.”