It was a textbook and criminal - software as a service: Grant access to a software kit that makes it easy to lock up the hard drives on victims' PCs, then skim 20% of the take from those who actually use the kit to extort payments.
The scheme experienced meteoric growth in just days, but once it became public knowledge its architect couldn't stand the threat of legal problems and is now backing off which wasn't the original plan at all.
"Plan A was to stay quiet and hidden," the coder wrote yesterday on the Tox malware site buried deep behind the onion router (Tor) network. But Plan A was overturned by researchers at Intel Security who found the site and wrote about it just four days after it was set up.
"It's been funny, I felt alive, more than ever, but I don't want to be a criminal. The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I'm not a team of hard core hackers. I'm just a teenager student." The message is signed "Tox".
Still, Tox wants to fulfill his/her commitment to the customers who downloaded the malware and still hope to cash in on the illegal profits. "I'm asking my users to be patient," Tox writes, "I'm not going to scam you. In a few days I'll ask you a bitcoin address in the case somebody pays some of your ransoms. I'll forward you your part."
Tox is also trying to sell the entire criminal enterprise, but if there are no takers, plans to shut it down entirely. "If nobody's going to buy the database, in one month I'm releasing the keys, and victims will have their files automatically unlocked."
The Tox kit makes it simple to run a ransomware scam. The malware encrypts victim's machines, demands payment in bitcoins for the decryption keys, explains to victims how to pay with bitcoins, collects the ransom, sends the decryption keys, siphons off Tox's 20% and deposits the rest in the bitcoin account of the franchisee.
Criminals using the service have to find their own ways to compromise the machines they infect with Tox.
The kit is pretty good at hiding from security platforms, blogs Jim Walter, director of advanced threat research for Intel Security. "Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware's targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this," he writes.
Despite that, he doesn't give the software high marks for technical elegance. "Although easy to use and functional, the malware appears to lack complexity and efficiency within the code," Walter writes.
Sign up for Computerworld eNewsletters.