Jokeroo Ransomware As A Service (RaaS) Pulls an Exit Scam. Since May 7th, 2019, the Tor sites for the Jokeroo Ransomware As A Service (RaaS) have started displaying a notice stating that their server was seized by the Royal Thai Police in conjunction with the Dutch National Police and Europol. It turns out that this notice is fake and the RaaS is performing an exit scam.
An exit scam is when a business, criminal or otherwise, pretends to have lost access to any funds or goods due to being hacked, seized by the government, or other problem. They then tell their clients that they have no way of reimbursing them or providing their paid-for services, while quietly sneaking away with the stolen money or goods.
Exit scams are being more common as law enforcement increases pressure on illegal activities on Tor and criminal sites. Just recently, dark web marketplaces for illegal goods have tried to conduct exit scams to make off with seller’s money.
When we first saw the seized notice on Jokeroo’s Tor servers, we quickly grew suspicious as the notice was missing words, had unusual wording, and was more descriptive regarding why the site was seized than you normally see.
Jokeroo Ransomware as a Service Pulls an Exit Scam
The full text of this notice can be read below:
THIS HIDDEN HAS BEEN SEIZED
by the Royal Thai Police in conjunction with the Dutch National Police and Europol
What have you done?
The police investigation focus on the criminal activities of Jokeroo and the people behind Jokeroo. Jokeroo uses the Dutch (digital) infrastructure to provide services to criminals by renting out servers from which criminal activities can be deployed such as sending spam messages and causing RANSOMWARE attacks,
The takedown of Jokeroo is a coordinated effort by law enforcement agencies from Thailand and The Netherlands, Europol.
When law enforcement contacted to confirm if the notice was real, “Europol confirmed that they were not involved in the case.”
The Jokeroo Ransomware was a RaaS where affiliates could buy into different level of packages ranging from $90 to $600. Depending on the purchased package, affiliates would receive a greater revenue share of ransom payments and more feature in the ransomware.
Jokeroo never achieved wide distribution, but samples were detected in the wild. For example, one sample discovered by Avast researcher Jakub Kroustek impersonated the GandCrab Ransomware.
As the purchase price included lifetime access, in addition to this exit scam being used to steal money, it may also be used to get out of supporting a ransomware service that is not making much money for the developers.
Definition – What does Ransomware as a Service (RaaS)mean?
Ransomware as a service (RaaS) is an unusual type of software as a service (SaaS) provided as a vendor platform through the internet. Among the many kinds of software as a service provided by tech vendors, ransomware as a service is different as it represents an offering used by criminals to attack IT systems.
In a ransomware as a service situation, an unprincipled vendor offers hackers and malicious actors a platform tool for the purposes of using ransomware to hold computer files, information or systems hostage. Ransomware is a type of software that infects a computer to encrypt or lock down files or systems. Typically, the person using the ransomware then requests a financial ransom in order to return data access to the victim.
Most kinds of software as a service involve straightforward enterprise or user services such as the provision of desktop, infrastructure, ERP, customer relationship management or other digital services. The unfortunate emergence of ransomware as a service means that hackers and black hat operatives are using the software as a services model to enable criminal enterprise. In other words, they can “order up” the ability to pirate a system and hold someone else’s data hostage. As with traditional ransoms, ransomware as a service users often take deliberate steps to make their behaviors hard to track, including requesting digital payments that may be difficult to trace, such as bitcoin, couriered cash, or Western Union money transfers.