Jokeroo Ransomware: Join a Membership Package to Rent Ransomware

Over the past few years, one of the most threatening trends in the cybercrime space is the introduction of RaaS (ransomware-as-a-service) in which ransomware is rented on underground forums. Unfortunately, there has been a new RaaS in town called the Jokeroo Ransomware. It has been advertised in various underground forums that promote cybercriminal activities. There has also been similar activity on Twitter. It allows affiliates into taking advantage of an operational ransomware along with a server, which is used to receive payment from the victims in exchange for ransomware removal.

One prominent cybersecurity professional informed that the ransomware was first noticed in Exploit.in, a popular underground cybercrime forum. What was more interesting was the fact that it was advertised as GandCrab Ransomware, one of the most powerful and widespread ransomware out there.

Afterward, another cybersecurity analyst discovered that the name of the ransomware was updated to Jokeroo RaaS from just “RaaS.” Following this change, there was a major change in the promotional materials of the Jokeroo Ransomware. They revealed on Twitter that they were not associated with the GandCrab Ransomware.

Generally, RaaS services do not require a prospective client to join some sort of membership. This is clearly not the case with Jokeroo. It has been reported that the interested party has to join a membership package and pay for it to become an affiliate. The pricing of these packages vary.

If an affiliate pays $90 USD, then they would have to give 15% of the received payments to Jokeroo’s team. Likewise, if an affiliate decides to pay in the $300-600 range, then they get to enjoy the complete revenue from their ransomware attack. Moreover, these members can also make use of Salsa20 encryption—a powerful piece of encryption technique. Other “perks” include the ability to choose from multiple variants of the ransomware as well as modify the payment mechanism through a different cryptocurrency.

The ransomware researchers also showed an image of a dashboard, which is provided to the affiliates by the Jokeroo Ransomware. The dashboard showed that there had been a total of 923 infections which encrypted around 24307 files. Moreover, 7.13 bitcoins had so far been received from the clients. The image also showed the number of encryption keys: 491 and the messages in the inbox: 3.  

Moreover, affiliates also had the option to check each victim in detail by checking their geographic location, operating system version, and even IP addresses! Some flexibility was also allowed to the affiliates where they can modify and update the contents of their ransom note, according to their preferences.