SSI EXP PDT – Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service

Authored by: Joakim Kennedy and Rory Gould

Anomali ThreatStream customers can find Indicators of Compromise (IOCs), signatures, and more information about this threat here.


Threat actors and cybercriminals that don’t have the ability to develop their own ransomware for malicious campaigns can turn to the Smaug Ransomware as a Service (RaaS) offering, which is available via a Dark Web Onion site. At least two threat actors are operating the site, providing ransomware that can be used to target Windows, macOS, and Linux machines. The site is built with ease of use in mind. To launch an attack, threat actors simply need to sign up, create a campaign, and then start distributing the malware. The site also handles decryption key purchasing and tracking for victims.