The Dark Web And The $40 Ransom

Technology Design Associates Cyber Security

The DARK Web

Many of you have heard the CEDIA Tech Council Cybersecurity Podcast where I referred to and briefly discussed the Dark Web. For those of you who have not, you can catch it here.

The “dark web” is a part of the world wide web that requires special software to access. Once inside, websites and other services can be accessed through a browser in much the same way as the normal web.

However, some sites are effectively “hidden”, in that they have not been indexed by a search engine and can only be accessed if you know the address of the site. Special markets also operate within the dark web called, “darknet markets”, which mainly sell illegal products like drugs and firearms, paid for in the cryptocurrency Bitcoin.

While it is effectively impossible to measure, and harsh to put estimates on the size of the deep web because the majority of the information is hidden or locked inside databases. Early estimates suggested that the deep web is 400 to 550 times larger than the world wide web we experience as the Internet. So we truly only see the tip of the iceberg.

Early estimates suggested that the deep web is 400 to 550 times larger than the world wide web we experience as the Internet. So we truly only see the tip of the icebergCEDIA


According to the experts at Bleeping Computer, Luc1F3R started selling the Halloware this week (12/5/2017) through a dedicated portal on the Dark Web. Luc1F3R claims to be a 17-year-old college student from Northeast India. Whatever happened to selling plasma or collecting aluminum cans for beer money?”

Currently, the malware dev is selling and/or advertising his ransomware on a dedicated Dark Web portal, on Dark Web forums, two sites hosted on the public Internet, and via videos hosted on YouTube,” reported Bleeping Computer.

“The sites are offering a lifetime license for the Halloware ransomware for only $40.”

The low price has made the researchers suspicious, so they decided to investigate the case suspecting a scam.

Operational mistakes in the websites used by to Luc1F3R to sell the ransomware allowed the expert from Bleeping Computer to track down a web page where Luc1F3R was hosting the index of Halloware files, The page included weaponized documents used to deliver the malware.

One of the files in the list, hmavpncreck.exe, had the same SHA256 hash for which Luc1F3R included NoDistribute scan results in Halloware’s ad, confirming that it was the malware binary the experts were looking for.

Another file named seems to be Halloware’s source code.

“While the file was protected, Bleeping Computer managed to extract its source code, which will end up in the hands of other security researchers to create decrypters, in case someone buys this ransomware and uses it to infect real users.” continues the analysis from Bleeping Computer.

How it works

The ransomware encrypts files using a hardcoded AES-256 key and prepends the “(Lucifer)” string to encrypted files. For example, once encrypted, image.png will become (Lucifer)image.png.

The researchers highlighted that Halloware is a working ransomware that encrypts files using a hardcoded AES-256 key and prepends the “(Lucifer)” string to encrypted file names. For example, once encrypted a file named image.png, it will appear as (Lucifer)image.png.

Once the Halloware ransomware has completed the encryption process it pops up a window showing a creepy clown with a ransom message containing the instruction to pay the ransom and decrypt the data. The victim’s desktop wallpaper also displays a similar message, but experts noticed that Halloware ransomware does not drop text files with ransom notes on the infected PCs.

Wannabe criminals that buy the ransomware can generate their own install by changing two images and adding their customized payment site URL.

Anyway, the experts noticed that the ransomware uses a hardcoded AES key and does not save any information on a remote server, this characteristic makes the malware not useful for the criminal underground.

According to Bleeping Computer Luc1F3R is a novice without particular skills. His tutorials published on YouTube describe basic hacking techniques or promote unsophisticated malware.

Some of the video tutorials include a Luc1F3R’s GitHub account that hosts four malware strains:

  • A Batch-based ransomware.
  • A Windows keylogger.
  • A Linux keylogger.
  • A bulk spoofed email sender.

Further details, including Indicators of compromise (IoCs), are available on the Bleeping Computer website.


Well, if an unskilled college student can create and distribute this for beer money, then anybody can make or use ransomware like this and sell it for beer money on the Dark Web… The barrier to entry is now so low that anyone can build or buy attack software, and given that the authorities cannot effectively restrict or enforce protections against this, we should all be concerned.

We need to take our network and data protection into our own hands, and take it very seriously, now. While no network or computer system is unhackable, we can make our networks and systems harder targets by implementing enterprise-level best practices.