New Junk Gun Ransomware Disrupts Ransomware-as-a-Service Racket

OXFORD, U.K. — 四月 17, 2024 —

Sophos, a global leader of innovative security solutions that defeat cyberattacks, today released a new report titled, “’Junk Gun’ Ransomware: Peashooters Can Still Pack a Punch,” which offers new insights into an emergent threat in the ransomware landscape. Since June 2023, Sophos X-Ops has discovered 19 ‘junk gun’ ransomware variants—cheap, independently produced and crudely constructed ransomware variants—on the dark web. The developers of these junk gun variants are attempting to disrupt the traditional affiliate-based ransomware-as-a-service (RaaS) model that has dominated the ransomware racket for nearly a decade. Instead of selling or buying ransomware to or as an affiliate, attackers are creating and selling unsophisticated ransomware variants for a one-time cost—which other attackers sometimes see as an opportunity to target small and medium-sized businesses (SMBs), and even individuals.

“For the past year or two, ransomware has reached a kind of homeostasis. It’s still one of the most pervasive and serious threats for businesses, but our most recent Active Adversary report found that the number of attacks has stabilized, and the RaaS racket has remained the go-to operating model for most major ransomware groups. Over the past two months, however, some of the biggest players in the ransomware ecosystem have disappeared or shut down, and, in the past, we’ve also seen ransomware affiliates vent their anger over the profit-sharing scheme of RaaS. Nothing within the cybercrime world stays static forever, and these cheap versions of off-the-shelf ransomware may be the next evolution in the ransomware ecosystem—especially for lower-skilled cyber attackers simply looking to make a profit rather than a name for themselves,” said Christopher Budd, director, threat research, Sophos.

As noted in the Sophos report, the median price for these junk-gun ransomware variants on the dark web was $375, significantly cheaper than some kits for RaaS affiliates, which can cost more than $1,000. The report indicates that cyber attackers have deployed four of these variants in attacks. While the capabilities of junk-gun ransomware vary widely, their biggest selling points are that the ransomware requires little or no supporting infrastructure to operate, and the users aren’t obligated to share their profits with the creators.

Junk gun ransomware discussions are taking place primarily on English-speaking dark web forums aimed at lower-tier criminals, rather than well-established Russian-speaking forums frequented by prominent attacker groups. These new variants offer an attractive way for newer cybercriminals to get started in the ransomware world, and, alongside the advertisements for these cheap ransomware variants, are numerous posts requesting advice and tutorials on how to get started.

“These types of ransomware variants aren’t going to command the million-dollar ransoms like Clop and Lockbit but they can indeed be effective against SMBs, and for many attackers beginning their ‘careers,’ that’s enough. While the phenomenon of junk gun ransomware is still relatively new, we’ve already seen posts from their creators about their ambitions to scale their operations, and we’ve seen multiple posts from others talking about creating their own ransomware variants.

“What is more concerning is that this new ransomware threat poses a unique challenge for defenders. Because attackers are using these variants against SMBs and the ransom demands are small, most attacks are likely to go undetected and unreported. That leaves an intelligence gap for defenders, one the security community will have to fill,” said Budd.

To learn more about junk gun ransomware and the latest change in the ransomware ecosystem, read “’Junk Gun’ Ransomware: Peashooters Can Still Pack a Punch” on Sophos.com.

关于 Sophos

Sophos 是全球领先的先进安全解决方案提供商和创新者,全面安全解决方案涵盖托管式侦测与响应 (MDR) 和事件响应服务,以及广泛的端点、网络、电子邮件和云安全技术。作为最大的纯网络安全厂商之一,Sophos 为全球超过 600,000 家企业和超过 1 亿用户提供防御主动攻击对手、勒索软件、网络钓鱼、恶意软件等威胁的保护。Sophos 的服务和产品通过 Sophos Central 管理控制台连接,并得到公司内部的跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos为需要完全托管的安全解决方案的组织提供网络安全即服务。客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com