Hacker Advertises ‘Crappy’ Ransomware on Instagram

An unknown hacker who is likely to be from a “lower-tier” ransomware group used the social media app to entice potential customers.
Image: Motherboard
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

A hacker—or perhaps a wannabe hacker—is advertising ransomware on Instagram, showing that the type of malware is so popular everyone is trying to get in on it, and trying to get customers everywhere on the internet.

On Monday, the malware research group vx-underground published a redacted screenshot of the advertisement on Twitter.

The founder of the group shared the original screenshot with Motherboard. The hacker’s Instagram account has more than 20,000 followers. As of this writing, the ad is gone from the account’s Stories, which instead include a shot of—presumably—the hacker driving a BMW and holding what appears to be a joint in his hand, which does not look like it’s lit. 


After Motherboard reached out to the hacker via Instagram, the hacker deleted the account. The hacker did respond via Telegram, saying the malware isn’t theirs. When we asked whose it was, they deleted the whole chat history.  

The ad includes a link to Checkzilla, a malware repository. The website shows the alleged malware file is not detected by several antivirus programs. While the ad suggests the malware is good because of that, there is no way to know that’s the actual ransomware and not a benign file uploaded to the site.

In fact, according to Allan Liska, a researcher at cybersecurity firm Recorded Future who tracks ransomware, it’s very likely the malware is “crappy” and the Checkzilla results shouldn’t be taken too seriously.

Screen Shot 2022-06-13 at 10.39.49 AM.png

Usually, ransomware groups advertise their malware on hacking forums, some public and some private. But some groups, such as Philadelphia Ransomware, have advertised on social media like YouTube, and others have used Twitter, and Facebook, according to Liska. 

“These are almost lower tier ransomware groups that cannot gain any traction in the usual places,” Liska told Motherboard in an online chat. “Which means anyone who does take them up on their offer is likely stuck with crappy ransomware.”

Do you have information about ransomware gangs or ransomware incidents? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email


Brett Callow, a researcher at Emsisoft who tracks ransomware, agreed.

“It’s not at all surprising to see very low-level scammers attempting to sell ‘ransomware' on Instagram. What would be more surprising is if the ‘ransomware' actually did what it’s supposed to do,” he told Motherboard in an email.

It’s unclear if the original post was taken down by Instagram or simply disappeared after 24 hours as Instagram Stories do.

Instagram told Motherboard that the hacker’s post is not an ad as defined by the company, but a Story post, and that ads cannot promote illegal products. But the company did not respond to questions as to how it moderates posts like the hacker’s.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.