Homemade Ransomware

Since June 2023, the Sophos X-Ops team of specialists has identified 19 “junk gun” ransomware variants. Cheap, self-produced and rather clumsily constructed, the programs appear on the darknet. Behind them are rudimentary developers who want to roll up the established ransomware-as-a-service (RaaS) market with simple and inexpensive ransomware models. Junk Gun is reminiscent of an era in the USA in the 1960s and 1970s, when the market was flooded with cheap and sometimes malfunctioning weapons, later known as “junk guns”. A development that is currently being repeated in a similar way in the cybercrime scene.

Has the RaaS model had its day?

Instead of selling or purchasing ransomware as an affiliate product – as has been standard in the cybercrime market for years – the cybercrime upstarts are building and selling primitive ransomware models themselves, for a one-off fee. Ideal for some criminals to attack small and medium-sized companies or individuals.

“We observe that ransomware has reached a certain level of saturation. It is still one of the most common and serious threats to organizations, but the number of attacks has leveled off at a certain level and the RaaS business has established itself as a common operating model for most of the main ransomware groups. Two months ago, some of the biggest ransomware players disappeared from the scene and in the past, some of the ransomware partners vented their anger about the profit orientation of RaaS. Nothing in the cybercrime world stays the same and we may be witnessing how these cheap versions of ransomware are the next evolutionary step, especially for criminals with little knowledge who are looking for a quick profit rather than a glorious attack,” said Christopher Budd, Director Threat Research at Sophos.

Ransomware at a one-time bargain price

In the report, Sophos lists one of these home-made variants on the darknet at a price of 375 US dollars, which is clearly cheaper than some RaaS kits for partners, which cost more than 1,000 US dollars. According to the analysis, cybercriminals have already used four of these variants in attacks. While the capabilities of the junk gun ransomware differ greatly from the RaaS variants, two arguments can score points: the malware requires little or no supporting infrastructure to run and users are not obliged to share their profits with the developers.

Ads and do-it-yourself tutorials

Junk gun ransomware discussions mainly take place in English-language forums on the Darknet and are aimed at criminals with little technical knowledge – in contrast to the often Russian-language forums visited by well-known and well-trained attack groups. These new variants open up an attractive way for criminal novices to enter the ransomware world. In addition to ads for the ransomware bargains, there are posts on tips and tricks and how-to tutorials.

Junk gun ransomware attacks may go under the radar

These types of ransomware won’t demand million-dollar ransoms like Clop or Lockbit, but true to the motto ‘mass not class’, they can be quite effective on SMBs and debut for wider distribution. While the phenomenon of junk gun ransomware is relatively new, we have already gained insight into the ambition of its creators to spread this ransomware model further. And we’ve seen many posts from more criminals who want to create their own ransomware variant,” says Budd. “Even more worrying, however, is that this new ransomware threat poses a serious defense challenge: Since attackers are using these models against SMBs and ransom demands are low, most attacks go undetected and unpublicized. This leaves an information gap for defenders that the security community must then fill.”