According to a research by Avast Threat Labs, the creators of the Petya and Mischa ransomware are using sophisticated techniques to market their products. The “malware brothers” work together to encrypt disks and files, making the victims pay high ransom to the attackers.
The coders created a whole new brand for Petya and Mischa and an affiliate program. The latter helps even the less tech-savvy persons to distribute the malware.
Malware had changed from a “hobby” to a business opportunity in the past few years. Gangs of cybercriminals are selling updated and sophisticated malicious software on the dark net.
The authors behind Mischa and Petya call themselves Janus Cybercrime Solutions. They want to do proper marketing to raise awareness of their products in order to get more sales. However, since the malware business is thriving, coders need the best of marketing techniques to stay in business.
Since there are thousands of cybercriminals selling their own malware on the dark web, Janus choose to establish a brand. For example, they picked red as their color, and when a computer becomes infected, victims see a skull that blinks every second, inversing the colors.
The image above shows instructions how to pay the ransom. However, there is a flaw in the system. When infected by Petya, you have to write in a decryption code to the ransomware’s Tor site to purchase your key. However, since the message appears at the boot stage before Windows is launched, it is impossible to copy-paste the code. This makes the job of the victims even harder.
Sometimes companies rebrand their products to change their image. Janus did the same, changing the color red to green. The authors created different logos for their business and to their two products. They use green as the color, Cyrillic characters and the infamous hammer and sickle. The last two characteristics could give people a suggestion of the malware’s home country.
Affiliate marketing is a technique where the company rewards other businesses for successfully marketing their products, which mostly results in new customers. Janus has its own affiliate program. They created a simple web interface where affiliates can view the latest infections, set ransom prices, recrypt their binaries, generate bitcoin addresses and keys for the payment system. Compared to other ransomware creators, Janus’ payment system seems to be quite professional. They keep their business up by taking a percentage of the affiliates’ profits. For example, if you earn 125 BTC with Petya, Janus will give you 85 percent of the profit, which is over $60,000.
“Cybercrime is now similar to drug dealing in real life. You don’t need to be a chemist to deal drugs; you can become a dealer by joining a gang. Hackers used to code their own malware, but now you don’t need to know how to code malware to distribute it,” Michal Salat, Director of Threat Intelligence said. “You can just buy it from the darknet and deal it.”
Based on discussions on Janus’ sites, Avast researchers suspect the affiliates are spreading the malware within the companies they work for.
As most companies know, one of the best places for marketing is social media. Janus is on Twitter promoting their products, but they even comment on security experts’ statements.
Avast gives these instructions to remain safe from ransomware:
“Not opening any suspicious attachments (e.g. zipped .js, .wsf or .vbs files)
Disabling Microsoft Office macros by default and never enabling macros in strange/unknown attachments that you receive via email
Keeping recent backup copies of important data in a secure place, either online or offline
Ensuring that your system and applications are fully updated and patched”