The availability of affordable ransomware on the dark web is revolutionizing the methods employed by hackers.

Ransomware as a service image

Since June 2023, cybersecurity observers have detected a surge in affordable ransomware offerings, termed “junk gun” ransomware, on the dark web. These tools are the product of independent developers and represent a shift away from the decade-long dominance of the ransomware-as-a-service (RaaS) model in the cybercriminal ecosystem.

Sophos X-Ops has documented 19 distinct junk gun ransomware variants currently available on dark web marketplaces. These tools are marketed with a single-payment model, eliminating the profit-sharing arrangements typical of RaaS systems. This shift opens up opportunities for cybercriminals to target not just large corporations but also small and medium-sized businesses (SMBs) and individual users.

The cost of these ransomware variants is strikingly low, with a median price of just $375, which is substantially cheaper than traditional RaaS kits that can run into thousands of dollars. To date, four of these low-cost variants have been deployed in the field, demonstrating diverse functionalities but sharing the common benefits of affordability and simplicity in terms of infrastructure requirements.

Discussions concerning these new ransomware tools are predominantly occurring on English-speaking forums within the dark web. This marks a significant departure from the more secretive Russian-speaking forums that are typically frequented by elite cybercriminal groups. The shift indicates an expansion of the ransomware market to include less experienced criminals, with many forum posts focusing on providing guidance and instructional content for those new to ransomware operations.

Despite their lower cost, junk gun ransomware variants pose a serious threat, particularly to small businesses, which may lack robust cybersecurity measures. These tools might not secure the multimillion-dollar ransoms associated with high-profile ransomware-as-a-service (RaaS) attacks, but they are capable of inflicting significant damage and disruption.

Sophos X-Ops has also observed a strategic dialogue among developers of these tools on the dark web, discussing ways to expand their operations and enhance the effectiveness of their ransomware. Additionally, there is a noticeable rise in interest from other criminals who are considering entering the ransomware creation space, inspired by the accessibility and potential profitability of junk gun ransomware.

The proliferation of these ransomware attacks presents a considerable challenge for cybersecurity defenders. Many attacks on small businesses go unnoticed and are rarely reported, leading to a significant intelligence gap. Closing this gap is essential for developing effective defensive strategies and understanding the full scope of the threat posed by these new ransomware variants.