The authors of a new ransomware-as-a-service (RaaS) are marketing their platform on the dark web as a “great security tool.”
Bleeping Computer first received a tip about the ransomware, known as FrozrLock, from security researcher David Montenegro. With the help of Jakub Kroustek from AVG Avast, the site tracked the ransomware to infections dating back as early as 16 April. Many of those first instances of FrozrLock point to Russia and arrived on users’ PCs via a downloader called “Contract_432732593256.js.”
Taking a look at the platform’s dark web advertisement, Bleeping Computer determined that the ransomware is written in C#, deletes the installer upon successful infection, doesn’t alter file file extensions, and uses unique keys for each encrypted file. These properties embody a file-encrypting ransomware that poses a threat to users everywhere. But that’s not how FrozrLock’s authors have framed it.
Just check out the message at the top of the ransomware’s homepage:
“FILE FROZR is a great security tool that encrypts most of your files in several minutes. All that you earn yours, you pay once for a license. all further inspections are free. [sic]”
A “great security tool”? Are you kidding me?!
Well, I suppose it’s a nice utility for wannabe computer criminals. For a mere $220, bad actors can buy a license to FILE FROZR, which displays the name FrozrLock after they complete their purchase. Affiliates can then use the dashboard to customize their ransomware campaigns, including choosing a decrypter with one of three operation modes.
Here’s what a typical ransom message for FrozrLock looks like:
You have 48 hours to make your payment. Do not close the program, do not turn your PC off unless you want to lose your data. Reload this page after the payment has been done. It may take from 15 minutes to 3 hours to confirm the BTC payment. Take your time! You will see a different BTC wallet address every time you refresh the page until the transaction has been confirmed. You do not need to pay twice. Just reload the page a bit later until you finally get your MasterKey. You may use any device to open this page for all data is stored remotely. When you download your MasterKey to the encrypted device the decryption process will start automatically. Decryption may take a few hours. Just wait patiently until you see the corresponding notihcation on your screen.
You can scan QR code for easy payment
Unlike the ransom notes of other RaaS platforms like Petya/Mischa and DetoxCrypto, the message for FrozrLock instructs victims to “take your time” and “just wait patiently.”
Why? Because those spreading the ransomware don’t want victims not receiving their decrypted files if they’ve paid. Such an outcome would be bad for business, as future victims would have less incentive to pay the ransom if there were cases in which victims didn’t regain access to their decrypted data.
Victims have enormous power when it comes to shaping the success of ransomware. With that in mind, users should back up their data regularly to prevent an unexpected file-encrypter from getting the best of them. That way, they’ll always have their data and won’t have to pay if FrozrLock or another ransomware family tries to extort them.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “A ‘great security tool’ that encrypts files? Think again! It’s ransomware”
Dirty and greedy scammers always out there looking for low fruit to pick. The FROZR scam is sneaky! Caveat emptor….buyer beware!!