The Dark Web And The $40 Ransomware Hack

The Halloware ransomware is a new malware offered for sale in the dark web, the author that goes online with the moniker Luc1F3R is selling it for just $40.



Many of you have heard the CEDIA Tech Council Cybersecurity Podcast where I referred to and briefly discussed the Dark Web. For those of you who have not, you can catch it here.

The “dark web” is a part of the world wide web that requires special software to access. Once inside, websites and other services can be accessed through a browser in much the same way as the normal web.

However, some sites are effectively “hidden”, in that they have not been indexed by a search engine and can only be accessed if you know the address of the site. Special markets also operate within the dark web called, “darknet markets”, which mainly sell illegal products like drugs and firearms, paid for in the cryptocurrency Bitcoin.

The Dark Web is a subset of the Deep Web with the difference being the Deep Web is anything on the Internet not found in search browsers while the Dark Web then is classified as a small portion of the Deep Web that has been intentionally hidden and is inaccessible through standard web browsers.

While it is effectively impossible to measure, and harsh to put estimates on the size of the deep web because the majority of the information is hidden or locked inside databases. Early estimates suggested that the deep web is 400 to 550 times larger than the world wide web we experience as the Internet. So we truly only see the tip of the iceberg.


According to the experts at Bleeping Computer, Luc1F3R started selling the Halloware this week through a dedicated portal on the Dark Web. Luc1F3R claims to be a 17-year-old college student from Northeast India. Whatever happened to selling plasma or collecting aluminum cans for beer money?

“Currently, the malware dev is selling and/or advertising his ransomware on a dedicated Dark Web portal, on Dark Web forums, two sites hosted on the public Internet, and via videos hosted on YouTube,” reported Bleeping Computer.

“The sites are offering a lifetime license for the Halloware ransomware for only $40.”

The low price has made the researchers suspicious, so they decided to investigate the case suspecting a scam.

Operational mistakes in the websites used by to Luc1F3R to sell the ransomware allowed the expert from Bleeping Computer to track down a web page where Luc1F3R was hosting the index of Halloware files, The page included weaponized documents used to deliver the malware.

One of the files in the list, hmavpncreck.exe, had the same SHA256 hash for which Luc1F3R included NoDistribute scan results in Halloware’s ad, confirming that it was the malware binary the experts were looking for.

Another file named seems to be Halloware’s source code.

“While the file was protected, Bleeping Computer managed to extract its source code, which will end up in the hands of other security researchers to create decrypters, in case someone buys this ransomware and uses it to infect real users.” continues the analysis from Bleeping Computer.


 The ransomware encrypts files using a hardcoded AES-256 key and prepends the "(Lucifer)" string to encrypted files. For example, once encrypted, image.png will become (Lucifer)image.png.

The ransomware encrypts files using a hardcoded AES-256 key and prepends the "(Lucifer)" string to encrypted files. For example, once encrypted, image.png will become (Lucifer)image.png.

The researchers highlighted that Halloware is a working ransomware that encrypts files using a hardcoded AES-256 key and prepends the “(Lucifer)” string to encrypted file names. For example, once encrypted a file named image.png, it will appear as (Lucifer)image.png.

Once the Halloware ransomware has completed the encryption process it pops up a window showing a creepy clown with a ransom message containing the instruction to pay the ransom and decrypt the data. The victim’s desktop wallpaper, also displays a similar message, but experts noticed that Halloware ransomware does not drop text files with ransom notes on the infected PCs.

Wannabe criminals that buy the ransomware can generate their own install by changing two images and adding  their customized payment site URL.

Anyway the experts noticed that the ransomware uses a hardcoded AES key and does not save any information on a remote server, this characteristic makes the malware not useful for the criminal underground.

According to Bleeping Computer Luc1F3R is a novice without particular skills. His tutorials published on YouTube describe basic hacking techniques or promote unsophisticated malware.

Some of the video tutorials include a Luc1F3R’s GitHub account that hosts four malware strains:

  • A Batch-based ransomware.
  • A Windows keylogger.
  • A Linux keylogger.
  • A bulk spoofed email sender.

Further details, including Indicators of Compromise (IoCs) are available on the Bleeping Computer website.


Well, if an unskilled college student can create and distribute this for beer money, then anybody can make or use ransomware like this and sell it on the Dark Web for whatever they need... The barrier to entry is now so low that anyone can build or buy attack software, and given that the authorities cannot effectively restrict or enforce protections against this, we should all be concerned.

We need to take our network and data protection into our own hands, and take it very seriously, now. While no network or computer system is unhackable, we can make our networks and systems harder targets by implementing enterprise-level best practices. Contact FIREFX today to discuss the next steps in protecting your networks and data.

CUJO vs. The FIREFX Network Guardian: What You Need To Know

Over the last few weeks, several of our dealers have been asking us to lay out a direct comparison of the CUJO security appliance vs. our Network Guardian. In the Army, we have an acronym I love to use. "Give me the BLUF" (Bottom Line Up Front). When time is of the essence, this is really the best way to communicate important ideas and information. We know you do not have much time to waste, so here is the BLUF on the CUJO vs. FIREFX Network Guardian in a head to head comparison.

In this comparison we will reference CUJO's stated specs and two independent CUJO product reviews which we will link to for your benefit. 

First off, we will show a side by side comparison of specifications and features.


 Direct comparison of CUJO and FIREFX Network Guardian hardware

Direct comparison of CUJO and FIREFX Network Guardian hardware


So as you can see, the Network Guardian has twice the number of processor cores at twice the speed of the CUJO. Also, with four times the RAM which is why we performed at over double the tested throughput at full protection. The Network Guardian also has double the Ethernet ports available, allowing for separating traffic through VLANs for greater security. In the Army we have another saying we use when we are in the field... "Two is one and one is none", or in Texas we would also say the "Bigger is better". We design all of our products with this in mind, over-engineering for today so our product will continue to perform under the demands of tomorrow.

In addition tot these hardware drawbacks, CUJO requires a separate firewall/router to be installed in front of it as described in the Small Net Builder review

"In home networks with only a single network device, usually a Wi-Fi router connected to the Internet, this can be challenging. The CUJO firewall does not connect directly to the Internet; it needs a router in front of it."


Cujo Feature Compare.JPG

That's nice, but what does all this mean to me? Here is a breakdown of the feature differences.

  1. Protects more than 50 devices: While 50 devices seems like a lot today, we need to be building a network for the future. As clients continue to add BYOD (Bring Your Own Device) products to our networks, and more devices become TCP/IP compliant/dependent, that number of 50 will become an issue. Because of our superior hardware standards, the network Guardian can easily support numbers of devices in the high hundreds to low thousands.
  2. VPN Server: Bottom line, you need a VPN server for you to remote access all of your client sites and your clients need it to access all of their sites/applications securely. The days of port forwarding devices through the firewall must end. The Network Guardian comes with a pre-configured VPN server complete with two factor authentication and user accounts. Just change your user password, export a certificate, and begin secured connections! 
  3. Parental controls: Through VLAN separation, the Network Guardian allows for secure parental control (i.e. blocking content and scheduling access times). During setup, our remote technicians can log in and help you configure this as desired.
  4. IPSEC tunneling: The FIREFX Network Guardian is a real, enterprise grade firewall/router capable of advanced configurations such as IPSEC static tunneling between sites (i.e. office and home)
  5. Remote access dealer support: As part of your support, FIREFX network engineers act as your digital concierge assisting in tire one support and basic configurations during and after setup.
  6. GeoBlocking: The FIREFX Network Guardian blocks all unsolicited connection attempts from outside the US by default. Dropping these packets without inspecting them based on their origination greatly reduces load on the firewall and limits DOS attack effectiveness on your networks.
  7. Customizable ProAV Command & Control rule sets: In our industry, we have a lot of automated traffic that the typical home network does not see. Much of this traffic can be misconstrued as malicious traffic and is often blocked by a typical IDPS (Intrusion Detection Prevention System). The FIREFX Network Guardian comes with a custom set of ProAV rules and can be modified for new custom rules as needed by the integrator or with the assistance of our digital concierge support.
  8. Anti-Virus & Anti-Malware: While cloud-based anti-virus and ant-malware is a good edition to network security, it is not the end all and be all. As the Tech Radar review states "Despite some overblown claims on the CUJO website, the device can't replace your antivirus, and you'll probably need to keep the same security software you're using now." We could not agree more. As for devices that do not run anti-virus or anti-malware software such as printers, TVs, light bulbs, etc. We have built a special "protected" IoT VLAN just for them which is designed to prevent the malicious code from ever infecting them.
  9. VLAN separation with IDPS protection: The FIREFX Network Guardian uses Enterprise level security based in VLAN separation with IDPS protection both through the firewall and behind it. We know from experience that most hacks originate behind the firewall on a compromised PC, tablet, or smartphone. By separating and protecting that traffic from all of your security, control, environmental, media, and lighting systems, you can confidently contain any security breaches that may happen to those end user deices.
  10. Separate WiFi VLAN protection schemes: By offering multiple WiFi SSIDs associated with protected VLANS, you can split your IoT devices from your home users, restricted guest users, and protected kids' wireless traffic. The network Guardian comes pre-configured with an IoT VLAN, guest, home user, and kids protected VLN pre-configured.
  11. 24/7 status remote monitoring: FIREFX can monitor the status of all active firewall remotely and does so as part of our standard support package. This can assist you in your troubleshooting any issues in the field.
  12. Recurring revenue plan for dealers: FIREFX helps dealers set up a recurring revenue plan around network security which is a real pain point and value add to both the customer and the dealer.
  13. Generous margins on MSRP: The Network Guardian is a professional grade enterprise class product designed specifically for the ProAV market. We offer generous margins on wholesale for a quality product with excellent support.
  14. MSRP pricing not made public: You won't find FIREFX products listed on Amazon, New Egg, CDW or other dealer sites. This prevents end users from shopping your cost.
  15. Designed and supported by military trained cyber-security experts and ProAV techs: The Network Guardian is the only network security appliance designed by people from the ProAV marketplace with military cyber-security training. The result is a professional security appliance tailored to the environments you work in. 
  16. Pre-configured for rapid and easy setup: We know that time=money in business. That is why we pre-configure the Network Guardian to work right out of the box. Pre-configured features such as multiple VLANs, an active IDPS system, secure DNS, GeoBlocking, Firewall rules, DHCP servers, and a VPN server are among our many pre-configured settings.

To be fair, the CUJO is a very good idea. But in reality, network security is not as simple as plugging in a device and walking away. The CUJO appliance is probably good for a technical DIY install on a small network. For the ProAV market, the CUJO is not a good fit.

Here are the links to the two independent reviews of CUJO.

Small Net Builder

Tech Radar

Interested in becoming a dealer and finding out more? Follow this link now!

FIREFX Dealer Quick Application