I recently analyzed a new ransomware, called BlackShades, which left me scratching my head, as to why the author was leaving digital evidence of who they actually are…
BlackShades is a ransomware, which currently charges $30 USD to decrypt the files it encrypts. It has been seen targeting Russian and US based computers.
One of the mistakes that the author made was accepting ransomware via PayPal. PayPal can directly tie the individual to their bank account, and can identify the person behind the screen, based off of personally identifiable information.
When you create an account with PayPal, they ask for some personally identifiable information, such as your name and where you live. However, that information can be easily faked. I create an account for “Bob Jones”, added some fake information, and was soon granted access to Paypal.com.
However, this only gets me so far. If I want to transfer money out of PayPal, I need to tell them where I want the money to go to. In this case, I need to provide them information to my bank account. This information can also be tracked back to the owner of the account.
As if this wasn’t a bad enough choice in designing the ransomware, the author also hosted the decrypter service on a US based network, HostWinds. Due to the laws in the US, it would be very easy for someone in law enforcement to get a warrant for HostWinds to inspect the server, to see who is connecting to it, etc.
It also seems that the author of this ransomware is taunting security researchers. While this isn’t something we haven’t seen in the past, it does make the security researchers want to put a bit more time and effort into not only disrupting the attack, but also attributing it to a specific person. The idiom “don’t stir up the hornets’ nest” is true in this case.
Lastly, we know from the poor Russian translation and the poorly written English instructions that the person is not a native Russian or English speaker. It seems that they’ve used some online translations to come up with the instructions for how to pay them, to decrypt the files.
If you’d like more information about BlackShades, you can see a well written write-up by Lawrence Abrams on Bleeping Computer.