What Ransomware Virus is Sold on The Darknet Marketplaces?


Ransomware-as-a-Service (RaaS) has been rapidly developing on darknet since the rise of WannaCry in 2017. Nowadays, vendors operating on major dark web marketplaces provide RaaS to people, who lack programming skills but want to earn money from hacking. That’s why I studied DNMs to find out what ransomware virus is sold and how much it costs.

Modern Ransomware Virus

Sodinokibi/REvil Ransomware 

Sodinokibi a.k.a. REvil accounted for only 3.50% of all ransomware submissions recorded in Q1 2020. According to the report by a reputed company, Sodinokibi was the most moneymaking ransomware in Q4 2019. The median payment demanded by malware’s operators amounted to $41,198. For the first half of 2020, Sodinokibi attackers earned at least $81 million. REvil’s high profitability is partly attributed to the fact that antiviruses Baidu, Kingsoft, TotalDefense, Avast and Trapminedon’t detect it.

Due to its popularity, Sodinokibi is the most expensive ransomware virus vended on the darknet. The malware is listed only on the White House Market (WHM) and costs $2,000. The dealer has disclosed that he sells Sodinokibi v.1.2 updated on January 23 2020.


Ransomware 2020 + Tutorial 

One of WHM’s vendors is promoting ransomware developed in 2020. He refused to specify the malware’s ID but said that it’s a file crypter, which employs AES algorithm. After the data is encrypted, the malware creates a text file on the desktop with a ransom demand and sends the unique encryption key to the attacker’s server. Files can be decrypted in a decrypter program with keys generated on victims’ computers. 

The dealer asks $49 for the ransomware virus and the tutorial on how to use and spread it. He claims that the Trojan is 100% undetectable but fails to provide the results of the analysis to prove it. I believe the vendor attempts to sell out-of-date ransomware under the guise of the latest fully undetectable malware.


KingLocker is ransomware created in Python. It encrypts data using keys downloaded from a server control panel and opens a webpage with a ransom note. KingLocker source code was uploaded to the Raid forum in June 2020. Virus Total tested the link to KingLocker in July and ascertained that the file isn’t infected. KingLocker’s price on WHM is relatively low – 99 EUR. However, you can download it from the file-sharing service Mega for free.


Modular Malware

The Complete and Utter Blackmail Bitcoin Ransomware 

This malware includes a custom-built ransomware source code and a cryptocurrency stealer. If used as ransomware, the Trojan encrypts files on HDD and asks for a ransom. In addition, it can be configured to work as a typical Bitcoin (BTC) stealer, which modifies BTC addresses copied to clipboard. In case a victim doesn’t check the address after copy-pasting it, coins will be sent to the hacker’s wallet.

The malware is priced $10 on WHM and 8.50 EUR on the Versus market by the same vendor. He did not provide the stealer’s and the ransomware’s IDs that’s why their efficacy is unknown. However, due to low cost, I guess it’s a clone of an outdated malware.

LimeRAT Source Code 

LimeRAT is a remote administration tool, which can be used to: 

  • Encrypt files on HDD and USB to get a ransom; 
  • Secretly mine Monero
  • Steal data on crypto wallets; 
  • Launch DDoS attack; 
  • Log the keys struck on a keyboard; 
  • Lock the screen.

LimeRAT is sold on White House Market (WHM) for 89 EUR, but the same malware is priced 3.39 EUR on Versus and 3.99 EUR– on the Cypher market. LimeRAT is a simple yet powerful trojan suitable for entry-level programmers.


DiamondFox is a multifunctional malware, which consists of: 

  • Password stealer; 
  • Cookie grabber; 
  • Botkiller; 
  • Video recorder; 
  • Ransomware; 
  • Crypto and files stealer; 
  • Bot.

The malware works with all Windows versions starting from XP and in both architecture – x86 and x64. It goes with a management panel for setting tasks and configurations. DiamondFox costs $1,000 and is sold only on WHM.

Ransomware Kits

Ransomware Pack 

I found a ransomware package comprised of 9 trojans: 

  1. SkiddyScreenLocker; 
  2. NxRansomware; 
  3. HiddenTear; 
  4. MyLittleRansomware; 
  5. Jigsaw Ransomware; 
  6. EDA2 Ransomware; 
  7. CryptoLocker; 
  8. Andr0id L0cker; 
  9. Atom/Shark Ransomware.

NxRansomware, HiddenTear and MyLittleRansomware are Open Source projects published on GitHub. SkiddyScreenLocker, Jigsaw Ransomware, EDA2 Ransomware, CryptoLocker and Shark Ransomware are outdated malware. However, Andr0id L0cker is the only mobile ransomware virus listed on DNMs, thus making the kit distinctive. The package costs 15 EUR on WHM and $15 – on DarkMarket.

Several dealers vend 5- and 6-pieces ransomware packs priced $6-36. The malware’s IDs aren’t stated that’s why I have nothing to say about them.


Outdated Ransomware Virus


In 2017, Windows released patches fixing EternalBlue exploit, which WannaCry used to install the backdoor tool DoublePulsar. Hence, the ransomware virus is no longer able to install and execute its copy, and I don’t see a reason why anyone should buy this malware from any dark web markets. Nevertheless, WHM vendors sell it for $50 and $150, on DarkMarket and Cypher, it costs $150.


Also Read:
Top 12 Massive Data Breaches In This Decade
How to Choose the Right Dark Web Vendors

Disclaimer: Read the complete disclaimer here.



Please enter your comment!
Please enter your name here