Vigilante wishes to highlight a threat actor or threat actor group on an exclusive Russian-language Dark Web forum that is currently advertising the Ransomware-as-a-Service (RaaS) known as “Smaug”. Although this type service is not entirely new, the Smaug RaaS platform is a particularly attractive option for lower-tier or unskilled cyber criminals to enter the Ransomware threat space, increasing the proliferation of debilitating ransomware attacks. Access to and use of the Smaug platform requires a one-time payment of .2 BTC (~$1,900 USD), and an additional 20% of any ransoms collected through the platform.

The Smaug ransomware platform removes the need for a highly skilled toolset usually necessary to infect a victim machine or network through its easy-to-use online panel. Would-be attackers can customize ransomware attacks/payloads for the victims of their choosing.

  • They need only select a few options – regular mode (one decryption key per machine), company mode (network infection with one decryption key), the custom ransom message, ransom amount, and the operating system of the victim; the platform does the rest and spits out a payload ready to deploy against the victim(s).
  • Users of Smaug sign in to a dashboard (Figure 1) which enables easy tracking of campaigns, payments, and even victim interactions and activity with the platform (having paid the ransom or not).

The threat actor or group behind this RaaS is advertising from a newly-created forum account established on 17 May 2019—a common practice within these communities to lessen the likelihood of attribution or criminal prosecution by linking activities across more well-known and active threat actor profiles. The creators of Smaug RaaS have the most to gain from enabling such a large number of actors to commit ransomware attacks, while they sit back, provide customer service, and collect their 20% ransom fee.

  • Additionally, Smaug enables insider attacks on systems that would otherwise not be so vulnerable to ransomware attacks (such as air gaped systems and larger more protected organizations), since many active or soon-to-be threat actors have access to such systems, giving them the opportunity to deploy these malicious payloads.

Interestingly, the actor or group follows an established rule of most Russian Dark Web forums in their declaration to “ban all infecting of CIS countries”—Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan. The actor(s) that wrote the post, however, appear the possess at least fluent, if not native, command of the English language. This is based on preliminary linguistic analysis. Vigilante’s analysis of the Smaug RaaS is ongoing.

                                                                                                     Figure 1: Smaug User DashboardDashboard                                                                                                      Figure 2: Smaug Campaign Creation