Industry Insights with Christopher Budd

Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

Lowest-Rung Attackers Challenging Ransomware-as-a-Service

Christopher Budd on the Rise of Junk Gun Ransomware Variants
Lowest-Rung Attackers Challenging Ransomware-as-a-Service

Since June 2023, Sophos X-Ops has discovered 19 junk gun ransomware variants on the dark web. Developers of these cheap, independently produced and crudely constructed variants are attempting to disrupt the traditional affiliate-based RaaS model that has dominated the ransomware racket for nearly a decade.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

Instead of selling or buying ransomware to or as an affiliate, attackers are creating and selling unsophisticated ransomware variants for a one-time cost - which can be seen as an opportunity to target small and medium-sized businesses, or SMBs.

For the past year or two, ransomware has reached homeostasis. It’s still one of the most pervasive and serious threats for businesses, but Sophos' recent Active Adversary Report shows that the number of attacks has stabilized, and the RaaS racket has remained the go-to operating model for most major ransomware groups. Over the past two months, however, some of the biggest players in the ransomware ecosystem have disappeared or shut down.

Nothing within the cybercrime world stays static forever, and cheap versions of off-the-shelf ransomware may be the next evolution in the ransomware ecosystem - especially for lower-skilled cyber attackers simply looking to make a profit rather than a name for themselves.

The median price for junk gun ransomware variants on the dark web is US$375, significantly cheaper than RaaS kits, which can cost more than US$1,000. While the capabilities of junk gun ransomware vary widely, their biggest selling points are that the ransomware requires little or no supporting infrastructure to operate, and the users aren't obligated to share their profits with the creators - a common grievance among criminals.

Junk gun ransomware discussions on the dark web are taking place primarily on English-speaking forums aimed at lower-tier criminals, rather than well-established Russian-speaking forums frequented by prominent attacker groups. These new variants offer an attractive way for newer cybercriminals to get started in the ransomware world, and alongside the advertisements for these cheap ransomware variant, are numerous posts requesting advice and tutorials on how to get started.

These types of ransomware variants aren’t going to command million-dollar ransoms like Clop and LockBit, but they can be effective against SMBs, and for many attackers beginning their "careers," that's enough. While the phenomenon of junk gun ransomware is still relatively new, we've already seen posts from their creators about their ambitions to scale their operations, and we've seen multiple posts from others talking about creating their own ransomware variants.

More concerningly, this new ransomware threat poses a unique challenge for defenders because attackers are using these variants against SMBs and, as the ransom demands are small, most attacks are likely to go unreported. That leaves an intelligence gap for defenders, which the security community will have to fill.

To learn more, see the Sophos report on "Junk gun" Ransomware.

About the Author

Christopher Budd

Christopher Budd

Director, Sophos X-Ops

Budd is the director of threat research for Sophos X-Ops - Sophos' advanced threat response joint task force founded two years ago. Leading the X-Ops comms and analysis group of X-Ops, he works to bring together insights from the company's six different security domains to produce industry-leading threat intelligence.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.