{
	"id": "c86a6bde-8aa1-4188-9876-4e9d04d7c0d5",
	"created_at": "2026-04-06T00:15:23.846632Z",
	"updated_at": "2026-04-10T03:21:58.053436Z",
	"deleted_at": null,
	"sha1_hash": "7e75d41d9a54fa0f3d8efd7f17b93fea0c74243b",
	"title": "Multi-Platform SMAUG RaaS Aims To See Off Competitors - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3731582,
	"plain_text": "Multi-Platform SMAUG RaaS Aims To See Off Competitors -\r\nSentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-09-03 · Archived: 2026-04-05 17:55:05 UTC\r\nA few years ago public RaaS (Ransomware as a Service) offerings were plentiful. SATAN, Nemesis, Petya,\r\nRaaSberry, Shark, Data Keeper…the list goes on. However, the trend, especially in the last year, has been for\r\nthese services to become increasingly exclusive. NEMTY Revenue \u0026 Zeppelin are two prime examples of this.\r\nStill, every now and then we stumble across a fully public service. It gets even more interesting when that service\r\noffers a “seamless” experience across OS platforms. Ransomware families with full feature parity across\r\nWindows, Linux and macOS do not pop up all that often, which brings us to today’s topic: the SMAUG RaaS\r\n(Ransomware as a Service) offering.\r\nSMAUG’s Differentiators\r\nThe SMAUG RaaS emerged towards the end of April 2020, and seems to have gained some traction in the\r\nfollowing months. SMAUG appears to be a robust and full-service RaaS, with a few tweaks that set it apart from\r\nthe others.\r\nCriminals who wish to become SMAUG “distributors” will likely be used to the offerings associated with this\r\ntype of service. The SMAUG operators currently charge a 20% service fee. However, there is also a registration\r\nfee which is quite steep when compared to other “fully-public” services. The current registration fee is .2 BTC,\r\naround $1800 USD at today’s prices.\r\nThere are some possible exceptions to getting around the registration fee. On some forums where SMAUG is\r\nadvertising, the developers state that free memberships (owing only the service fees) will be given to the first five\r\ncustomers with a certain number of posts, and the ability to prove their past work (attacks).\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 1 of 8\n\nPerhaps the most interesting differentiators are multi-platform support (all 64-bit) and the inclusion of a\r\n“Company Mode”, which allows for a single key to apply to an entire body of infected ‘hosts’ (aka a targeted\r\ncompany). If the victim chooses to comply with the attackers, then a single key can be used to decrypt\r\n(theoretically) all the encrypted hosts in that environment.\r\nSMAUG also has offline capabilities, meaning that the payload does not have to have any amount of connectivity\r\nin order to execute and encrypt.\r\nSMAUG is designed to evade traditional AV products. Along with crypting/obfuscation, the payloads have been\r\ndeveloped to have as minimal a footprint as possible.\r\nIt should be noted that SMAUG does not appear to include a native crypting/packing feature. Consequently, the\r\ndevelopers advise attackers to further obfuscate their payloads. They note the following within the Campaign\r\nconfiguration options of the SMAUG management interface: “Even though the payload is stealthy it is\r\nrecommended to use crypting service to ensure the payload is undetectable by antivirus solutions.”\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 2 of 8\n\nThe operators advertise a fully automated payment system, as well as highly customizable campaigns. This allows\r\nattackers to streamline and organize multiple campaigns within the management interface.\r\nMost RaaS operators offer a high level of “support” for their affiliates, and this one is no different. SMAUG offers\r\nfull support for both their customers and victims.\r\nCustomizable Malware, But Mind Your Targets\r\nIn SMAUG’s service advertisements, they state “Infecting CIS is forbidden and will result in a ban” In this\r\ncontext, CIS is the ‘Commonwealth of Independent States’ aka the group of independent countries that were once\r\npart of the Soviet Union.\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 3 of 8\n\nCampaigns created by SMAUG are, as stated, fully customizable, allowing attackers to set their desired price\r\n(BTC), deadline/timing constraints, as well as the actual ransom note’s message.\r\nSMAUG-generated malware is designed to execute extremely fast. They tout this as follows:\r\n“The payload utilizes multi-threaded native code which ensures the encryption is done before your victims can\r\nreact to it.”\r\nPayloads are generated directly in SMAUG’s web-based management interface. While many RaaS offerings\r\nprovide their own offline builder, this can often complicate the process, and lead to issues for the aspiring\r\nattackers. SMAUG works around this with their “simple web UI”. Victims are able to submit a single file for\r\ndecryption for free. Beyond that, they must comply with the ransom demands as set in the campaign.\r\nIndividual files are encrypted via AES-256. An RSA-2048 public key is used to encrypt the AES encryption key.\r\nGo Payloads\r\nThe SMAUG payloads for Windows are obfuscated Go binaries. With that in mind, these payloads begin to bear a\r\nresemblance to other similar Ransomware services (ex: Project Root).\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 4 of 8\n\nUpon launch the malware will drop a copy of itself into a local driver directory, such as:\r\nC:WindowsSysWOW64drivers\r\nC:WindowsSystem32drivers\r\nThe malware will then attempt to establish persistence via LoadAppInit_DLLs key in the registry. For example,\r\nHKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsLoadAppInit_DLLs\r\nThe SMAUG payloads contain additional functionality to gather system information and stored browser\r\ncredentials. Encryption is achieved via simple AES-256, again similar to Project Root and other Go-based\r\nransomware services. Upon encryption, affected files will have a lengthy extension added (e.g., 11bdd939-1d45-\r\n421c-9be0-0addcdc8181c )\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 5 of 8\n\nA ransom note is deposited in all directories containing encrypted files. In our analyzed example, the dropped\r\nransom note was simply named “HACKED.TXT” with the following contents:\r\n“Your files have been encrypted using military grade encryption. They can never be accessed again without\r\nbuying a decryption key. You can buy the decryption key at http://[redacted].onion. To access the site you need Tor\r\nBrowser.\r\nto view site you can download torbrowser here – https://www.torproject.org/download/\r\nneed help?support [redacted]@secmail.pro”\r\nVictims are instructed, via the ransom note, to visit SMAUG’s onion-based portal for payment instructions and\r\nprocessing.\r\nOddly enough, SMAUG appears to have one of the most “helpful” payment (aka extortion) portals we have seen.\r\nTheir walkthroughs (for both victims and affiliates) are very thorough:\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 6 of 8\n\nConclusion\r\nProtecting your environment against threats like SMAUG is more critical than ever. In order to prevent loss of\r\ndata and the consequences of a large-scale data breach, organizations must rely on a modern, well maintained, and\r\nproperly-tuned and trusted security solution. Prevention is key with these attacks. Even in the event that the\r\nencryption/data-loss can be mitigated through decryptors, backups or rollbacks, victims still face the problem of\r\ntheir data being posted publicly. We encourage security teams to analyze and understand the threats and to take\r\nswift and appropriate action to prevent incidents occurring in the first place.\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 7 of 8\n\nIndicators of Compromise\r\nSHA1\r\n929b10f78565660535a07917d144d00b0c117571\r\nSHA256\r\nF2363a355fe226cb2f7f1afa72daecc5edfe1cb0edc1295856fb3f874d941b6d\r\nMITRE ATT\u0026CK\r\nData Encrypted for Impact T1486\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547\r\nExfiltration Over C2 Channel T1041\r\nObfuscated Files or Information T1027\r\nCredentials from Password Stores T1555\r\nCredentials from Password Stores: Credentials from Web Browsers T1555.003\r\nInhibit System Recovery T1490\r\nSource: https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nhttps://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/"
	],
	"report_names": [
		"multi-platform-smaug-raas-aims-to-see-off-competitors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434523,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e75d41d9a54fa0f3d8efd7f17b93fea0c74243b.pdf",
		"text": "https://archive.orkl.eu/7e75d41d9a54fa0f3d8efd7f17b93fea0c74243b.txt",
		"img": "https://archive.orkl.eu/7e75d41d9a54fa0f3d8efd7f17b93fea0c74243b.jpg"
	}
}