A whole new generation of ransomware makers are attempting to shake up the market

Code Skull
(Image credit: Shutterstock)

The days of the "traditional" Ransomware-as-a-Service (RaaS) model could be numbered as hackers instead pivot towards cheaper, crude, off-the-shelf ransomware variants, new research has said.

In a new report analyzing the state of the ransomware community, Sophos says it discovered 19 “junk gun” ransomware variants emerging since June 2023.

These variants are cheap, independently produced, and crudely constructed. Furthermore, they are not being sold as a service. Instead, hackers can buy it for a one-time fee, and keep all the potential profits for themselves. To make matters even more interesting, these variants are significantly cheaper than their RaaS counterparts. While sophisticated tools can cost more than $1,000, the average cost of “junk gun” ransomware is just $375.

Homeostasis for ransomware

Sophos also claims that there are many threat actors out there who are not interested in making a name for themselves, but would rather steal people’s money in peace and quiet. What’s more, many are growing more and more frustrated by the revenue sharing models of RaaS solutions, further emphasized by the recent Change Healthcare fiasco.

For those who are unaware, a BlackCat affiliate, who was responsible for the ransomware infection at Change Healthcare, demanded $20 million in crypto and had the company pay the demand. However, they were left empty-handed as the ransomware’s operators took everything and disappeared into the cold, dark web. 

Unlike the well-established ransomware variants, which circulate on Russian-speaking forums, these cheaper versions are mostly found on English-speaking dark web forums, Sophos concluded. They offer an attractive way for newer criminals to get started in the ransomware world, they said.

“For the past year or two, ransomware has reached a kind of homeostasis. It’s still one of the most pervasive and serious threats for businesses, but our most recent Active Adversary report found that the number of attacks has stabilized, and the RaaS racket has remained the go-to operating model for most major ransomware groups,” said Christopher Budd, director, threat research, Sophos. 

“Over the past two months, however, some of the biggest players in the ransomware ecosystem have disappeared or shut down, and, in the past, we’ve also seen ransomware affiliates vent their anger over the profit-sharing scheme of RaaS. Nothing within the cybercrime world stays static forever, and these cheap versions of off-the-shelf ransomware may be the next evolution in the ransomware ecosystem—especially for lower-skilled cyber attackers simply looking to make a profit rather than a name for themselves.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS