For some cybercriminals, ‘junk’ ransomware does the job

Sometimes ransomware actors just want the cheap stuff.

Cybersecurity company Sophos, in an April 17 report from its Sophos X-Ops research team, noticed an uptick in low-cost, rudimentary ransomware—a deal for aspiring threat actors and a challenge for defenders.

“It’s much harder to detect something that there are only 20 copies of in the world,” Christopher Budd, director of threat research at Sophos X-Ops, told IT Brew.

The group compared the offerings to the cheap handguns flooding the US firearms market in the 1960s and 1970s: junk guns.

Between June 2023 and February 2024, the Sophos team found 19 varieties of “independently produced, inexpensive, and crudely constructed ransomware.” Some lacked polished graphics, and some featured programming languages like C# and .NET, which “have a shallower learning curve,” according to the report.

“This appears to be a relatively new phenomenon,” the post read, while noting low-quality malware has been around for decades.

Costs may vary. Out of the 19, Sophos found one with no price listed, two open-source models, one for $20 (which later decreased its price to free) and one for 0.5 BTC (about $13k).

The price of a Ransomware as a Service (RaaS) kit, according to a 2023 report from cybersecurity company CrowdStrike, “ranges from $40 per month to several thousand dollars.” RaaS models rely on affiliates paying for the ransomware and agreeing to a service fee based on the victim’s payment.

Junk-gun ransomware trashes that commission: capitalism in action, in a way.

“In most cases, you don’t have any affiliate fees to pay,” Budd said.

Only three of the “junk” varieties Sophos found charged a subscription fee, according to the company.

Ransomware groups like LockBit grew big enough to be monitored and disrupted by government agencies. Junky ransomware has a chance of flying under the radar and around detection technologies.

“There is no central source of information for researchers and investigators to monitor,” the Sophos report read.

In the forums touting the cheap wares, Budd and his team noticed users asking basic questions: What is the most suitable language for writing ransomware? Is writing in C# worthwhile? How should malware be priced, and where should it be sold?

A forum hosting cheap ransomware and beginner questions, to Budd, reveals a welcoming environment for new hackers waiting for some at-bats in the big leagues.

“In addition to being a place to buy this junk-gun ransomware, we also are pretty clearly seeing the emergence of, basically, farm teams,” Budd told IT Brew.