These cheap ransomware target small businesses or individuals.
If you’re tired of reading headlines about prolific gangs like LockBit, BlackCat, and Cl0p, and the rise of ransomware-as-a-service (RaaS), this is your answer. A new market is emerging on the dark web and could well turn the tables. A new breed of hackers are developing and selling cheap, crudely constructed ransomware in pieces, rather than renting them out as affiliate-based RasS.
Sophos researchers identified 19 variants of this low-end ransomware offered for sale for as little as $375 or in development on four dark web forums between June 2023 and February 2024. They compared them to the emergence of “Junk Guns”, these cheap, inaccurate and unreliable weapons, in the 1960s and 1970s, imported but potentially dangerous.
The new threat from traditional ransomware-as-a-service variants
Just because they are inexpensive and technically unsophisticated doesn’t mean you shouldn’t be wary of them. Quite the contrary, according to Sophos. These second-tier ransomware variants are sold at a single price, providing attackers with an opportunity to target SMBs or even individuals without having to share their profits with the ransomware creators. The median price of these variants on the dark web was recently $375, significantly cheaper than some kits aimed at RaaS affiliates, which can cost more than $1,000. Hackers have already deployed four of these attack variants. And despite low reach and questionable reliability, these discount ransomware require little to no supporting infrastructure to operate, putting a leg up for these budding hackers.
These hackers are found on English-speaking dark web forums aimed at lower-level criminals, rather than on well-established Russian-speaking forums frequented by organized ransomware kingpins. In the shadow of the big guys, these small cybercriminals can try their hand at playing in the big leagues of ransomware without raising the slightest concern.
To make themselves known, apart from advertisements, they publish numerous articles with tips and tutorials to get started. They do not have big ambitions, which makes them harmless in the eyes of the community, but can loot several small, easy targets such as SMEs or individuals.
A growing discount ransomware market
Of 19 variants identified by Sophos, a third do not have a name and 5 do not yet have a price. Pricing for the others varies, with a version of Kryptina distributed for free and a version of Ergon advertised for around $13,000. The most popular programming languages are C# and .NET, and the most widely used encryption methods are AES-256 and RSA-2048. Four variants include other features, like information theft and keylogging. It is difficult to determine which unwanted ransomware was used at the moment, but Evil Extractor, Ergon, Loni and Lolicrypt have been mentioned.
Sophos analysts are still studying the impact that these Junk Guns could have on the ransomware market: a saturation of the current market with “one more ransomware”, or a real parallel and autonomous market which would parasitize the current one.
In the meantime, they are already causing damage and giving small businesses, the general public, and security experts a hard time. When they tell you that it’s not the size that matters…
Sources: Security Boulevard, Sophos
0