Headlines about ransomware in recent years has focused on the most prolific gangs like LockBit, BlackCat, and Cl0p and the rise of ransomware-as-a-service (RaaS), where affiliates pay fee to use ransomware developed by another group and share the money paid by the victim.

However, another market is emerging on the dark web, where bad actors develop cheap and crudely built ransomware that they primarily sell as a one-time purchase, rather than lease it out as in RaaS scenarios, according to researchers with cybersecurity firm Sophos.

The analysts saw 19 such low-end ransomware variants offered for sale or under development on four dark web forums between June 2023 and February. While it’s a nascent market, there’s an undercurrent of interest that could help drive it forward, they, wrote in a report this week.

“This appears to be a relatively new phenomenon (although, of course, threat actors have been creating and selling cheap, low-quality RATs and other malware for decades),” the researchers wrote. “We also saw other threat actors, a rung or two down the skills ladder, express interest in developing new ransomware – swapping tips on languages, evasion techniques, targets, and licensing models.”

They compared the trend to the emergence in the 1960s and 1970s of “junk guns,” cheaply made, imported handguns that were inexpensive, inaccurate, and unreliable, but still were assets to criminals that could undeniably cause damage when in the wrong hands.

Unknown, but Still a Threat

Likewise, while ransomware variants with names like CatLogs, Diablo, Nevermore, and Jigsaw – and those were the ones that actually had names – may be running several steps below the radar, they still pose a threat, particularly to potential victims that might be ignored by the larger players.

“We uncovered some concerning intelligence,” the researchers wrote. “Some individuals claimed to have used junk-gun ransomware in real-world attacks, completing the entire attack chain by themselves, without IABs [initial access brokers]. Others advocated using it to attack small businesses and individuals – targets that the likes of Cl0p and ALPHV/BlackCat would probably not consider worthwhile, but which could nevertheless generate significant profit for an individual threat actor.”

The discovery of junk-gun ransomware is giving the researchers from the Sophos’ X-Ops threat intelligence group some deeper insight into how the ransomware environment continues to evolve and the mindset of some of those bad actors looking to get a foothold in a booming and profit-making business.

No Frills

For the most part, these are bareboned operations that come without a lot of what the highly-organized ransomware groups bring. They don’t have leak sites, don’t use IABs to offer ways into targets’ networks, no affiliates or corporate-style setups to manage, and no large, high-profile victims.

In addition, their ransom demands don’t get into the millions of dollars, their ransomware isn’t designed to get around endpoint detection and response (EDR) protections, and they’re not looking for attention, according to the researchers.

They added that – as with junk guns themselves – using junk-gun ransomware can backfire. The malware might not work, it could trigger alerts, or it could be backdoored by other scammers. These hackers also may become victims of their own inexperience. That said, they may see all of these as acceptable risks, in part because using the low-end ransomware may end up getting them better jobs with larger and more lucrative threat groups.

In addition, this low-end ransomware is enabling what RaaS also does – less-skilled threat actors who now have a relatively cheap way to run ransomware attacks. GuidePoint Security researchers earlier this month came out with a report about what they call “ad hoc, opportunistic, or ‘immature’ ransomware groups” – like Phobos and DataF Locker – that operate more quietly and target smaller victims.

Larger groups may get the wider notoriety, but “immature ransomware groups operating on the fringe continue to harm smaller and less well-defended organizations, often without a recognizable brand or name to aid in attributing and ascribing deceitful behavior,” they wrote.

A Market Still in Flux

The junk-gun ransomware market appears to be one that is still coming together. Of the 19 variants Sophos X-Ops found, a third didn’t have a name and five had yet to have a price attached – one simply had no price listed, two were open-source, and another two were still being developed.

Pricing for the other 14 varied greatly. A single build of Kryptina was priced at $20, but later the researchers saw that the developer was giving for free after struggling to make deals. However, a single build of Ergon was advertised for 0.5 Bitcoin – or about $13,000 – and the median average price was $375, with the mode reaching $500.

As far as programming languages, C# and .NET was the most popular, being in five variants, with C++, C, Python, and Go also being used, while the most used encryption methods were AES-256 and RSA-2048. Four variants included other capabilities along with ransomware, such as information stealing and keylogging.

Some Unknowns

The researchers wrote that it’s difficult to determine which of the junk-gun ransomware has been used in the wild, given that there’s little if any supporting infrastructure required, including leak sites.

That said, threat actors have used Evil Extractor and there have been claims from two sellers and a buyer that Ergon, Loni, and Lolicrypt have been used.

The Sophos X-Ops analysts are still sorting out what this emerging market means. It could signal greater fracturing in the ransomware market, market saturation, or a space that is developing distinct tiers.

“To some extent, junk-gun ransomware is likely also simply a reflection of capitalism in action,” they wrote. “Like any other market, supply will expand to meet demand, and would-be profiteers will flock to whatever services and products are generating the most money – and carve out niches for themselves as they do so. … What is clear, however, is that junk-gun ransomware poses unique challenges to small businesses, the wider public, and the security community.”