Junk Ransomware: Getting the Job Done For Hackers

Sophos detects ransomware

In an April 17 analysis from its Sophos X-Ops research team, cybersecurity firm Sophos observed an increase in low-cost, primitive ransomware—a boon for aspiring threat actors and a headache for defenders.

It's far more difficult to find something that there are only twenty copies of in the world, said Christopher Budd, director of threat research at Sophos X-Ops.

The group linked the choices to the cheap handguns that flooded the US firearms market in the 1960s and 1970s, known as junk guns.

Between June 2023 and February 2024, the Sophos team spotted 19 different types of "independently produced, inexpensive, and crudely constructed ransomware." Some missed clean graphics, while others used programming languages like C# and.NET, which "have a shallower learning curve," noted the paper.

It seems to be a fairly recent thing,"  noting that poor-quality malware has existed for decades.

Varying costs

Sophos discovered one with no price indicated, two open-source models, one for $20 (later reduced to free), and one for 0.5 BTC (about $13K).

According to a 2023 research by cybersecurity firm CrowdStrike, the cost of a Ransomware as a Service (RaaS) kit "ranges from $40 per month to several thousand dollars." RaaS models depend on affiliates purchasing ransomware and consenting to a subscription fee based on the victim's payment.

Junk-gun ransomware

Junk-gun ransomware destroys that commission: capitalism in action, in a sense.

In most instances, you don't have any kind of partner fees to pay, Budd stated.

Only three of the "junk" kinds paid a subscription fee

Ransomware groups such as LockBit have become large enough to be tracked and halted by government agencies. Junky ransomware has the potential to fly under the radar and bypass detection technology.

There is no single source of knowledge for investigators and researchers to track, the Sophos report stated.

Budd and his crew saw users asking basic inquiries in forums praising the cheap items. What is the best language for creating ransomware? Is writing in C# worthwhile? How should malware be priced and sold?

Budd describes a forum featuring inexpensive ransomware and beginner queries as a welcome place for young hackers waiting for their chance in the big leagues.

Step forward

Junk-gun ransomware presents specific problems for small enterprises, the general public, and the security industry. We saw threat actors expressly refer to assaults against smaller companies and individuals, even as they tried to figure out which types of companies to target and how much ransom to demand because such targets are often less well-defended, knowledgeable, and prepared.

At this point, junk-gun ransomware causes several challenges for the security industry. It is difficult to get samples of junk-gun ransomware, assess how widely it has been deployed in the wild, and monitor new variants. 

Threat actors may also adopt the 'brand names' of well-known ransomware families, presumably to capitalize on their reputations, which can lead to misunderstanding among experts.