Threat Research

Ransomware-as-a-Service: Rampant in the Underground Black Market

By Rommel Joven | February 16, 2017

Given the popularity and success of ransomware, it is no surprise that malware authors have been developing more ransomware than ever before. Last year’s cost of ransomware attacks reached $1 billion, which not only shows how this affects businesses, but for cybercriminals the potential pay-out for cyber-extortion can be very lucrative.

The rise of ransomware infections may also be attributed to the attractiveness growing availability of Ransomware-as-a-Service (Raas). Ransomware authors posts are now developing user-friendly front ends for their malware, and posting advertisements on underground forums that promotes their ransomware product and its features. This service promises fledgling cyber criminals that they can make money through cyber-extortion without needing the expertise to create their own malware. Each offering also includes some gimmick to make their product more enticing, such as franchise-like opportunities, profit sharing, or unique features to avoid detection or increase success.

To give you a better idea of the scope of this growing problem, let’s take a look at Ransomware-as-a-Service offerings seen in hacking forums and underground markets and check their features and prices.

HOSTMAN Ransomware

Price: Basic – USD 9.95(Limited use)  Big – USD 49.95(Unlimited use)

Posted just this January, this ad claims that besides file encryption, this RaaS offering also has worm capabilities, which is not common for ransomware. Ransomware with this capability is more dangerous since it will result in more infected users. Hostman Ransomware also advertise that it can be customized for buyers, including the demanded ransom price, bitcoin address, targeted files, and other features. 

While the ad includes a disclaimer that this product is “for educational use only,” it also provides an estimate on how much a cybercriminal can make, which directly conflicts with the disclaimer.

Picture 2

FLUX Ransomware

Price: Build – USD 45.00  Source code – USD 150.00

Another ransomware ad posted this January includes an offline file encryption feature. One advantage of offline file encryption is that it doesn’t generate any network noise, making it less suspicious for malicious activity. The drawback, however, is that victims infected with the Flux Ransomware will likely all use the same decryptor or private key that can be shared between victims, resulting to less profit from the ransom.

Picture 3

As most RaaS ads, Flux also includes a disclaimer that it is to be used for “educational use only,” but it then displays a scan report from AV products and boasts that it is not detected, which implies that it is intended to be distributed and used.

Ransomware Affiliate Network

Price: FREE

Profits: 25/75 Split, 25% - Ransomware Author 75% - Affiliate  

For 100,000+ installations per month:

15/85 Split,  15% - Ransomware Author 85% - Affiliate

This ransomware is offered for free, but it provides payouts from successful ransom exploits on a commission base.

This ad has no other gimmicks, and is presented with a straight to the point statement, “we are coders, not a spammers.” They are looking for affiliates experienced in spreading malware. The ransomware supports multiple languages, including Russian, English, German, and Chinese.

This ransomware developer means big business, providing profit incentives for cybercrime entrepreneurs who achieve over 100,000 installations in a month. 

Picture 4

This developer also mentions that they are developing future ransomware offerings for MacOS and Android.

Ransomware Similar to Locky

Price: FREE

Profits: 20/80 Split,  20% - Ransomware Developer  80% - Affiliate

Lastly, a fully functional ransomware that uses file encryption similar to reputable ransomwares like Locky. It uses both RSA and AES algorithms, and requires an internet connection to retrieve the RSA public key in its C&C. As of now, this kind of file encryption set up cannot be decrypted for free.

Picture 5


While receiving a one-time payment for a deployed ransomware may have been lucrative enough for some, this new affiliate program approach is designed to maximize returns in the long run. The acceptance of anonymous and untraceable cryptocurrency has also helped ransomware authors charge nothing up front, while potentially earning more on the back end earn by splitting ransoms with an army of entrepreneurial affiliates.

With the increasing number of developers offering Ransomware-as-a-Service, there are more than enough ransomware options available for cyber criminals looking to extort money from victims. The growing accessibility of Ransomware-as-a-Service now enables anyone to run a cybercrime business, as all they have to do is distribute the ransomware.

To address the challenge of ransomware, security solutions need to share threat intelligence and respond efficiently to threats anywhere across your distributed environment, especially as your networked environment evolves and expands.

For steps you can take to better protect your organization from the threat of ransomware, we recommend the following article:


For more technical information on ransomware from Fortinet’s FortiGuard threat team, please also see these related blogs:




The FortiGuard team will continue to monitor developments in the ransomware landscape, and provide information and solutions through technology updates and reports posted here and in other forums as it becomes available.


-= FortiGuard Lion Team =-


Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.