Smaug Ransomware

The Smaug Ransomware is a Ransomware-as-a-Service (RaaS) platform that allows threat actors to create tailored harmful campaigns through a Dark Web Onion website. Malware researchers have found out that at least two actors operate the site as the level of English proficiency differs across the posts on the platform. To use the service, clients must contact the operators at smaug-ransomware@protonmail.com, pay a registration fee of 0.2 BTC (ca. 1,900 USD) upon registration, followed by a subsequent service fee of 20%.

The general features of the Smaug Ransomware show that it can be configured to attack Windows, Mac, and Linus platforms, including the 64bit OS versions. The malware has a comparably simple design; it creates a unique encryption key for each machine, can run entirely offline, and the encrypted files only can be decrypted with the threat actors’ private key. Files selected for encryption are encrypted with the AES algorithm, while the file containing the ransom note is named “HACKED.txt.”

Unlike other similar threats, the Smaug Ransomware cannot stop running processes. Also, this ransomware does not delete backups or the Shadow Volume Copies on Windows, making it possible for the victims to recover their hijacked data. So far, only two samples of the Smaug Ransomware have been analyzed, and this RaaS does not seem to get much traction on the Dark Web. An interesting feature is that the Smaug Ransomware prohibits attacks against Commonwealth of Independent States (CIS) countries.