Smaug Ransomware

The Smaug Ransomware is a file-locking Trojan family that operates as a Ransomware-as-a-Service. Because threat actors can create campaigns through an easy-to-use website interface, the family members may use very different exploits for circulation or target different victim demographics. However, users can spare their files with backups and have anti-malware services to remove the Smaug Ransomware variants.

Just a Simple, Little Dragon

With a name coming from the dragon antagonist of Tolkien's famous work, the Smaug Ransomware has a strong brand to live up to while offering its services. Unfortunately, it's little different from other Ransomware-as-a-Services that it resembles so closely, except for having an unusually broad set of compatible environments. Due to being programmed with minimalist simplicity, the Smaug Ransomware is compatible with Windows, Linux and macOS operating systems.

After a promotional effort on a Russian Dark Web forum, the Smaug Ransomware sells its services through a TOR-anonymized website. Unlike some Ransomware-as-a-Services, the Smaug Ransomware requires an upfront payment and a percentage of any ransoms. Its campaign creation interface is website-driven and easy-to-use entirely, including customization elements like targeting businesses or individuals and setting a date for destroying the unlocking (decryption) key. Most significantly, malware researchers and others in the industry verify that the Smaug Ransomware is compatible with the previously-listed Oses, unlike its competitors, which tend towards being Windows-only.

The Smaug Ransomware, which is in Go or Golang, has very few features. It encrypts a list of formats of files (dozens, including pictures, documents, spreadsheets, backups, and archives) on the infected PC with AES in CBC mode. The threat actor holds a customized RSA key for unlocking or decrypting these files, which is the ransom's supposed purpose. For delivering its ransom note, the Smaug Ransomware uses a Notepad text file, with contents partially from other Trojans' campaigns.

Because of that same simplicity (the Smaug Ransomware is only three hundred lines of code), the Trojan has few 'bells and whistles.' It doesn't change files' names, swap the desktop wallpaper, terminate other programs, or even delete Restore Points.

Taming a Dragon's Fire with Backup Preparation

Users with the Restore Points, unusually, can recover their work through it without worrying over the Smaug Ransomware's deleting them. Since most of the file-locking Trojans that malware experts see will delete the ShadowVolume Copies, users also should invest in other backups, such as a cloud service. The Smaug Ransomware is uniquely well-positioned for targeting users on multiple OSes and has no Internet connectivity dependencies in its payload.

The nature of the Smaug Ransomware's Ransomware-as-a-Service renders the possibilities for its distribution incredibly numerous. Some of the currently-popular choices that malware experts see in use for this class of Trojans include Exploit Kits that can use browser software vulnerabilities against Web surfers, disguised e-mail attachments and illicit torrents. Commonwealth of Independent States nations are not supported as potential targets, possibly, as a compliance measure between the Smaug Ransomware's business and popular dark Web forums.

Early detection rates of samples of the Smaug Ransomware are less than optimal. Users can do their part for improving the odds by installing security software updates as necessary and providing file samples to reputable researchers. The presence of anti-malware services remains a victim's best hope of averting attacks or disinfecting their computers.

An evil dragon for hire is a bad situation for anyone set in its rampaging sights. The fact that the Smaug Ransomware is code, rather than scales and teeth, modernizes the story while keeping the peril intact.