Jokeroo Ransomware As A Service (RaaS) Pulls an Exit Scam. Since May 7th, 2019, the Tor sites for the Jokeroo Ransomware As A Service (RaaS) have started displaying a notice stating that their server was seized by the Royal Thai Police in conjunction with the Dutch National Police and Europol. It turns out that this notice is fake and the RaaS is performing an exit scam.
An exit scam is when a business, criminal or otherwise, pretends to have lost access to any funds or goods due to being hacked, seized by the government, or other problem. They then tell their clients that they have no way of reimbursing them or providing their paid-for services, while quietly sneaking away with the stolen money or goods.
Exit scams are being more common as law enforcement increases pressure on illegal activities on Tor and criminal sites. Just recently, dark web marketplaces for illegal goods have tried to conduct exit scams to make off with seller’s money.
When we first saw the seized notice on Jokeroo’s Tor servers, we quickly grew suspicious as the notice was missing words, had unusual wording, and was more descriptive regarding why the site was seized than you normally see.
The full text of this notice can be read below:
THIS HIDDEN HAS BEEN SEIZED
by the Royal Thai Police in conjunction with the Dutch National Police and Europol
What have you done?
The police investigation focus on the criminal activities of Jokeroo and the people behind Jokeroo. Jokeroo uses the Dutch (digital) infrastructure to provide services to criminals by renting out servers from which criminal activities can be deployed such as sending spam messages and causing RANSOMWARE attacks,
The takedown of Jokeroo is a coordinated effort by law enforcement agencies from Thailand and The Netherlands, Europol.
When law enforcement contacted to confirm if the notice was real, “Europol confirmed that they were not involved in the case.”
The Jokeroo Ransomware was a RaaS where affiliates could buy into different level of packages ranging from $90 to $600. Depending on the purchased package, affiliates would receive a greater revenue share of ransom payments and more feature in the ransomware.
Jokeroo never achieved wide distribution, but samples were detected in the wild. For example, one sample discovered by Avast researcher Jakub Kroustek impersonated the GandCrab Ransomware.
Well, well, well… what do we have here? This looks like a modification of unpacked #GandCrab with version 5.3, but with #Jokeroo RaaS debug messages “Jokeroo, new ransom”, “We rulez!!”. False flag? https://t.co/PVaD9Zy0iL. #ransomware #falseflag @CryptoInsane @BleepinComputer pic.twitter.com/vwmmA7Ryf9
— Jakub Kroustek (@JakubKroustek) April 19, 2019
As the purchase price included lifetime access, in addition to this exit scam being used to steal money, it may also be used to get out of supporting a ransomware service that is not making much money for the developers.
ATM hacking has gotten so easy, the malware’s a game(Opens in a new browser tab)
Cloudflare expands government warrant canaries in transparency bid(Opens in a new browser tab)
Machine learning algorithms explained(Opens in a new browser tab)
IBM: Cybercriminals are moving on from ransomware to cryptojacking(Opens in a new browser tab)
B0r0nt0K Ransomware Wants $75,000 Ransom, Infects Linux Servers(Opens in a new browser tab)
RobbinHood ransomware takes down Baltimore City government networks(Opens in a new browser tab)
Increase User Engagement & Why It Matters for SEO(Opens in a new browser tab)
Hackers breached 3 US antivirus companies, researchers reveal(Opens in a new browser tab)
Ransomware attack forces Baltimore government to go manual(Opens in a new browser tab)
$25 Raspberry Pi add-on gets you started with edge computing AI(Opens in a new browser tab)
Freedom Mobile hit by data breach,15,000 customers affected(Opens in a new browser tab)
How to make Windows 10 look and feel like Windows 7(Opens in a new browser tab)
Tesla’s software lead is so big it should worry other automakers, AI expert says(Opens in a new browser tab)
Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims(Opens in a new browser tab)