Wave of ransomware on the cheap: junk guns still okay for small targets


Researchers observe a flood of crude and amateurish ransomware. But it’s cheap, difficult to trace, and comes in many flavors. This spells trouble for small business owners and other individuals.

Researchers from Sophos X-Ops discovered multiple examples of independently produced, inexpensive, and crude ransomware sold on the dark web that they called “junk guns.” However, they still give an advantage to lower-skilled criminals.

Most cheap ransomware is sold as a one-time purchase rather than the typical ransomware-as-a-service (Raas) model offered by the most prominent gangs.

For just $20, an individual could buy ransomware called Kryptina for a single build (the complete source code would cost $800). Researchers noted that the Kryptina developer later released their ransomware for free after struggling to make sales.

Kryptina includes “a complete RAAS toolkit that you can deploy out-of-the-box,” developers advertised on the dark web. It offers “a clean web and console interface,” highly customizable payloads, rapid encryption/decryption, support for 32-bit and 64-bit systems, including Linux, and support for Monero and Bitcoin wallets, among many other features.

There were at least 18 other ransomware variants discovered, named Diablo, Evil Extractor, Yasmha, HardShield, Jigsaw, LoliCrypt, CatLogs, and others, priced from dozens of dollars and ranging up to 0.5 BTC, or approximately $33,000 for a variant called Ergon. Many strains of junk guns don’t even have a name.

“That 0.5 BTC price appears to be something of an outlier, however. The median average price across all varieties was $375, and the mode was $500. The mean average was $1,302, including Ergon, but $402.15 without. That’s notably cheap, given that some RaaS affiliates reportedly pay up to thousands of dollars for access to kits,” the Sophos X-Ops researchers said.

Individuals selling junk ransomware do not have the infrastructure, resources, or corporate-like hierarchies of a well-established ransomware group. There are no leak sites, initial access brokers, affiliates, multi-million-dollar ransom demands, or publicity stunts. Those black hats are not after high-profile targets. However, small businesses and individuals should not underestimate the danger they pose.

What can cheap ransomware do?

Junk gun wielders act independently, cheaply, and quite easily.

“Some individuals claimed to have used junk-gun ransomware in real-world attacks, completing the entire attack chain by themselves,” Sophos X-Ops warns. “Others advocated using it to attack small businesses and individuals – targets that the likes of Cl0p and ALPHV/BlackCat would probably not consider worthwhile, but which could nevertheless generate significant profit for an individual threat actor.”

Such ransomware appeals to individual criminals as they don’t have to share the profit or rely on infrastructure or services operated by others.

“This appears to be a relatively new phenomenon (although, of course, threat actors have been creating and selling cheap, low-quality RATs and other malware for decades). We also saw other threat actors, a rung or two down the skills ladder, express interest in developing new ransomware–swapping tips on languages, evasion techniques, targets, and licensing models,” the report reads.

The basic features of cheap ransomware include AES-256 or RSA-2048 encryption. Some more advanced strains offer info-stealing, keylogging, and additional malicious capabilities. Only three variants referred to the deletion of volume shadow copies (a feature in Windows that copies files at different points in time). Six strains offered multi-threaded encryption for increased speed. Only Kryptina said it can target Linux OSes.

“Going against the grain, only Loni claimed to have remote encryption capabilities. This perhaps illustrates how low-quality and crude most junk-gun ransomware is, being limited to local encryption, whereas many major ransomware families are capable of remote encryption”, researchers noted.

Most of the ransomware was written in .NET/C# (five variants), three strains were written in C++, two in C, and one in both Python and Go. Traditionally, malware and ransomware are often written in C or C++.

Some developers shared their ambitions to grow by adding more features and even a data leak site in the future.

“It’s difficult to assess the extent to which most junk-gun ransomware has been used in real-world attacks,” Sophos X-Ops said. “What is clear, however, is that junk-gun ransomware poses unique challenges to small businesses, the wider public, and the security community.”


More from Cybernews:

Imposter syndrome is the “thief of potential” – interview

Targus cyberattack claimed by ransomware group

The cost of training AI models is rising exponentially

Cybercriminals targeting LastPass users

Tesla recalls Cybertrucks due to faulty accelerator pedals

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked