Cheap, Independently Produced ‘Junk Gun’ Ransomware Infiltrates the Dark Web, Sophos Finds
April 17 2024 - 6:30AM
Sophos, a global leader of innovative security solutions that
defeat cyberattacks, today released a new report titled, “’Junk
Gun’ Ransomware: Peashooters Can Still Pack a Punch,” which offers
new insights into an emergent threat in the ransomware landscape.
Since June 2023, Sophos X-Ops has discovered 19 ‘junk gun’
ransomware variants—cheap, independently produced and crudely
constructed ransomware variants—on the dark web. The developers of
these junk gun variants are attempting to disrupt the traditional
affiliate-based ransomware-as-a-service (RaaS) model that has
dominated the ransomware racket for nearly a decade. Instead of
selling or buying ransomware to or as an affiliate, attackers are
creating and selling unsophisticated ransomware variants for a
one-time cost—which other attackers sometimes see as an opportunity
to target small and medium-sized businesses (SMBs), and even
individuals.
“For the past year or two, ransomware has reached a kind of
homeostasis. It’s still one of the most pervasive and serious
threats for businesses, but our most recent Active Adversary report
found that the number of attacks has stabilized, and the RaaS
racket has remained the go-to operating model for most major
ransomware groups. Over the past two months, however, some of the
biggest players in the ransomware ecosystem have disappeared or
shut down, and, in the past, we’ve also seen ransomware affiliates
vent their anger over the profit-sharing scheme of RaaS. Nothing
within the cybercrime world stays static forever, and these cheap
versions of off-the-shelf ransomware may be the next evolution in
the ransomware ecosystem—especially for lower-skilled cyber
attackers simply looking to make a profit rather than a name for
themselves,” said Christopher Budd, director, threat research,
Sophos.
As noted in the Sophos report, the median price for these
junk-gun ransomware variants on the dark web was $375,
significantly cheaper than some kits for RaaS affiliates, which can
cost more than $1,000. The report indicates that cyber attackers
have deployed four of these variants in attacks. While the
capabilities of junk-gun ransomware vary widely, their biggest
selling points are that the ransomware requires little or no
supporting infrastructure to operate, and the users aren’t
obligated to share their profits with the creators.
Junk gun ransomware discussions are taking place primarily on
English-speaking dark web forums aimed at lower-tier criminals,
rather than well-established Russian-speaking forums frequented by
prominent attacker groups. These new variants offer an attractive
way for newer cybercriminals to get started in the ransomware
world, and, alongside the advertisements for these cheap ransomware
variants, are numerous posts requesting advice and tutorials on how
to get started.
“These types of ransomware variants aren’t going to command the
million-dollar ransoms like Clop and Lockbit but they can indeed be
effective against SMBs, and for many attackers beginning their
‘careers,’ that’s enough. While the phenomenon of junk gun
ransomware is still relatively new, we’ve already seen posts from
their creators about their ambitions to scale their operations, and
we’ve seen multiple posts from others talking about creating their
own ransomware variants.
“More concerningly, this new ransomware threat poses a unique
challenge for defenders. Because attackers are using these variants
against SMBs and the ransom demands are small, most attacks are
likely to go undetected and unreported. That leaves an intelligence
gap for defenders, one the security community will have to fill,”
said Budd.
To learn more about junk gun ransomware and the latest change in
the ransomware ecosystem, read “’Junk Gun’ Ransomware: Peashooters
Can Still Pack a Punch” on Sophos.com.
Learn More About How the Ransomware Landscape Has
Changed in the Past Six Months
- The rise of remote encryption among ransomware groups
- The LockBit takedown
- Ransomware attackers leveraging the media to increase pressure
on their victims
- Recent LockBit attacks taking advantage of the new
ScreenConnect vulnerabilities
- Ransomware attackers targeting managed service providers (MSPs)
in the 2024 Sophos Threat Report: Cybercrime on Main Street
Learn More About
- The latest techniques, tactics and procedures (TTPs) of cyber
attackers in the Active Adversary Report for 1H 2024
- The role of unpatched vulnerabilities in ransomware
attacks
- Sophos X-Ops and its groundbreaking threat research by
subscribing to the Sophos X-Ops blogs
About Sophos Sophos is a global leader and
innovator of advanced security solutions that defeat cyberattacks,
including Managed Detection and Response (MDR) and incident
response services and a broad portfolio of endpoint, network,
email, and cloud security technologies. As one of the largest
pure-play cybersecurity providers, Sophos defends more than 600,000
organizations and more than 100 million users worldwide from active
adversaries, ransomware, phishing, malware, and more. Sophos’
services and products connect through the Sophos Central
management console and are powered by Sophos X-Ops, the
company’s cross-domain threat intelligence unit. Sophos X-Ops
intelligence optimizes the entire Sophos Adaptive Cybersecurity
Ecosystem, which includes a centralized data lake that leverages a
rich set of open APIs available to customers, partners, developers,
and other cybersecurity and information technology vendors. Sophos
provides cybersecurity-as-a-service to organizations needing fully
managed security solutions. Customers can also manage their
cybersecurity directly with Sophos’ security operations platform or
use a hybrid approach by supplementing their in-house teams with
Sophos’ services, including threat hunting and remediation. Sophos
sells through reseller partners and managed service providers
(MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More
information is available at www.sophos.com.
Contact
Sam Powers
Sophos@walkersands.com