Nathan Tanthavong | August 13th, 2020

Smaug Ransomware

SaaS, PaaS, IaaS, well what about RaaS? RaaS stands for Ransomware-as-a-Serivce. Threat Actors can employ a RaaS provider to gain access to their ransomware infrastructure. Smaug Ransomware, one of the latest strains of ransomware, is taking advantage of the RaaS model.

Threat Actors can use Smaug’s infrastructure via a Dark Web Onion site to download a payload with a customized ransom message, ransom price, and payment deadline. Once they deploy the payload to their target, the statistics can be viewed through Smaug’s dashboard. Feautures include how many hosts were infected, if the victim has visited the page, and whether or not the ransom was paid.

If a ransom is paid, it is deposited into a Bitcoin wallet owned by Smaug. Smaug keeps 20% of the ransom as a service fee and the Threat Actor can withdraw the rest. This, along with a 0.2 Bitcoin registration fee, is the price to use Smaug’s services.

“Smaug is a RaaS that makes it easy for threat actors to use ransomware to achieve objectives. The ransomware can run on all the three major operating systems that opens up the potential for broader targeting.” -Anomali Threat Research

The easy use of Smaug is what makes it a large threat to companies. Making ransomware attacks easier to perform will put it in the arsenal of many less skilled Threat Actors that would otherwise not have the technical aptitude to build and manage ransomware. A disgruntled employee with no technical background could simply hire Smaug and download the payload to begin encrypting their company’s environment.

Ransomware is already very attractive to Threat Actors because the potential payout is huge, and with services like Smaug, SpearTip believes the trend is only going to grow. An EDR tool such as SpearTip’s proprietary tool, ShadowSpear®, will ensure any applications that attempt to inject into a system’s memory, including ransomware payloads, will be prevented.


24/7 Breach Response: 833.997.7327