Goliath ransomware is now for sale on the dark web, but some of its features – not to mention those of the malware website – don’t make any sense.
Lawrence Abrams of BleepingComputer explains that the website, entitled “Hall of Ransom,” is split up into four pages.
The first is a homepage riddled with cringe-worthy spelling and grammar mistakes. It reads:
“Who are us? We are a programmer team. We hack programming viruses to develop them. Our goal is to promote the software ergonomics and make them more efficient. We also operate the flaws of this software to develop the recovery. And of course we sell all upgrades.”
The second and third webpages are where the site owner lists their malicious wares. At this time, the site currently has only two ransomware solutions for sale: Locky and Goliath.
First discovered back in February, Locky is a crypto-ransomware variant notorious for having infected the computer network of the Hollywood Presbyterian Medical Center.
The site is offering Locky for $3,000. Strangely enough, the site also offers a USB-key that removes the ransomware from an infected computer. That solution costs $1,200 – roughly 10 times Locky’s ransom demand ($250).
As for Goliath, the ransomware is thought to derive its code from Locky. But that doesn’t mean the crypto-malware is put together well… or even exists.
As Abrams observes:
“Some of its feature just do not make sense, such as the need for a high end GPU card, unless they are introducing a cryptocoin mining feature. I and others have searched high and low for a sample of the Goliath ransomware, and if it exists, it is in almost non-existent distribution.”
The final page of the website provides some contact details for the site owner.
Overall pretty strange, right? That’s not even the weirdest part.
When Abrams took a look at the Hall of Ransom’s source code, he found something even more peculiar:
“When examining the source code I saw that the meta description tag had the content as Jigsaw, which is also the name of a ransomware released in April.”
Jigsaw has earned quite a reputation for deleting users’ files after encrypting them. In recent weeks, the ransomware has since rebranded itself as “Crypto Hitman” and adopted a pornographic lock screen.
“When Jigsaw was released it had an almost amateurish feel as it was easily decrypted and highly destructive. The fact that we have a ransomware using the name Jigsaw and now a ransomware TOR site also called Jigsaw is too strong a coincidence.”
It is a distinct possibility the same amateur malware developer who first developed Jigsaw subsequently set up Hall of Ransom. With that in mind, we can only hope many unsuspecting computer criminals will make use of this site and ultimately purchase a broken ransomware solution.
In the worst case, they’ll waste their money. In the best case, they’ll end up behind bars.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.