Ransomware as a Service: Demystifying Android Ransomware Generators

Ransomware has become a pervasive and lucrative threat in the Android platform, prompting the emergence of Ransomware as a Service (RaaS) business model. Ransomware generators, as an outgrowth of this model, have been found to be readily available on the web. This has further fueled the proliferation of ransomware attacks by enabling individuals without programming skills to participate in the ransomware economy. Although the nuisance of ransomware generators has been mentioned by a few security reports, our community lacks an understanding of the characteristics of these Android ransomware generators. In this paper, we take the first step towards systematically studying Android ransomware generators. We analyze the RaaS business model from multiple perspectives including their behaviors, practices, generated apps, and ecosystem. We observe that deceptive tactics exist in some so-called ransomware generator apps, such as malware masquerading and developer spoofing. For the generated ransomware, we reveal their common locking mechanisms and a variety of unlocking mechanisms. We also provide an overview of the ecosystem by revealing the participating entities, propagation channels, and workflow. Our findings contribute to advancing our understanding of Android ransomware generators and their associated risks, and inform the development of effective countermeasures and strategies to combat ransomware threats.