“Junk gun” ransomware: the cheap new threat to small businesses

What’s going on?

A wave of cheap, crude, amateurish ransomware has been spotted on the dark web – and although it may not make as many headlines as LockBit, Rhysida, and BlackSuit, it still presents a serious threat to organizations.

What’s “junk gun” ransomware?

It’s a name coined by Sophos researchers for unsophisticated ransomware that is often sold cheaply as a one-time purchase. “Junk gun” ransomware is appealing to a criminal who wants to operate independently but lacks technical skills.

Can you give some examples?

Sure. The Kryptina ransomware was made available for sale in December 2023 for just $20 ($800 if you were interested in the source code to perhaps customise it, or create new variants). Kryptina promised a complete out-of-the-box toolkit for launching attacks.

Other “junk gun” ransomware examples include Diablo, Evil Extractor, Yasmha, HardShield, Jigsaw, LoliCrypt, and CatLogs.

Sophos’s researchers note that the Kryptina developer struggled to make any sales and later released their ransomware for free.

Ha! They couldn’t even sell it for $20!

Kinda embarrassing, isn’t it? Some other examples of DIY ransomware-for-sale are also being offered for a low price – $50 or $60.

The average price recorded in Sophos’s research, however, was around $375 – notably less than the thousands of dollars that some affiliates of “conventional” ransomware-as-a-service (RaaS) operations are prepared to pay.

It doesn’t sound good if it’s cheap to get hold of ransomware

Correct. A low entry barrier means potentially more ransomware attackers.

In addition, cybercriminals who are eschewing the route of becoming affiliates to wider ransomware operations are potentially harder for law enforcement agencies to track – due to a lack of available intelligence.

But does this “junk gun” ransomware still pack a punch if it’s low-tech?

Don’t be fooled. The capabilities of this type of ransomware can vary, and the biggest draws are its simplicity (little or no supporting infrastructure required) and the fact that users get to keep all the profits for themselves.

“Junk gun” ransomware attacks may lack the scale and notoriety of major ransomware groups but can still be highly lucrative for those targeting individuals and small businesses.

“What is more concerning is that this new ransomware threat poses a unique challenge for defenders,” said Christopher Budd of Sophos. “Because attackers are using these variants against SMBs and the ransom demands are small, most attacks are likely to go undetected and unreported. That leaves an intelligence gap for defenders, one the security community will have to fill.”

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.