Cheap, Independently Produced ‘Junk Gun’ Ransomware Infiltrates the Dark Web, Sophos Finds
Sophos, a global leader of innovative security
solutions that defeat cyberattacks, released a new report titled, “’Junk Gun’
Ransomware: Peashooters Can Still Pack a Punch,” which offers new
insights into an emergent threat in the ransomware landscape. Since June 2023,
Sophos X-Ops has discovered 19 ‘junk gun’ ransomware variants—cheap,
independently produced and crudely constructed ransomware variants—on the dark
web. The developers of these junk gun variants are attempting to disrupt the
traditional affiliate-based ransomware-as-a-service
(RaaS) model that has dominated the ransomware racket for nearly a
decade. Instead of selling or buying ransomware to or as an
affiliate, attackers are creating and selling unsophisticated ransomware
variants for a one-time cost—which other attackers sometimes see as an
opportunity to target small and medium-sized businesses (SMBs), and even
individuals.
“For the past year or two, ransomware has reached a
kind of homeostasis.
It’s still one of the most pervasive and serious
threats for businesses, but our most recent Active
Adversary report found that the number of attacks has
stabilized, and the RaaS racket has remained the go-to operating model for most
major ransomware groups. Over the past two months, however, some of the biggest
players in the ransomware ecosystem have disappeared or shut down, and,
in the past, we’ve also seen ransomware affiliates vent their anger over the
profit-sharing scheme of RaaS. Nothing within the cybercrime world stays static
forever, and these cheap versions of off-the-shelf ransomware may be the next
evolution in the ransomware ecosystem—especially for lower-skilled cyber
attackers simply looking to make a profit rather than a name for themselves,”
said Christopher Budd, director, threat research, Sophos.
As noted in the Sophos report, the median price for
these junk-gun ransomware variants on the dark web was $375, significantly
cheaper than some kits for RaaS affiliates, which can cost more than $1,000.
The report indicates that cyber attackers have deployed four of these variants
in attacks. While the capabilities of junk-gun ransomware vary widely, their
biggest selling points are that the ransomware requires little or no supporting
infrastructure to operate, and the users aren’t obligated to share their
profits with the creators.
Junk gun ransomware discussions are taking place
primarily on English-speaking dark web forums aimed at lower-tier criminals,
rather than well-established Russian-speaking forums frequented by prominent
attacker groups. These new variants offer an attractive way for newer
cybercriminals to get started in the ransomware world, and, alongside the
advertisements for these cheap ransomware variants, are numerous posts
requesting advice and tutorials on how to get started.
“These types of ransomware variants aren’t going to
command the million-dollar ransoms like Clop and Lockbit but
they can indeed be effective against SMBs, and for many attackers beginning
their ‘careers,’ that’s enough. While the phenomenon of junk gun ransomware is
still relatively new, we’ve already seen posts from their creators about their
ambitions to scale their operations, and we’ve seen multiple posts from others
talking about creating their own ransomware variants.
“What is more concerning is that this new ransomware
threat poses a unique challenge for defenders. Because attackers are using
these variants against SMBs and the ransom demands are small, most attacks are
likely to go undetected and unreported. That leaves an intelligence gap for
defenders, one the security community will have to fill,” said Budd.
Leave A Comment