'Cheap ransomware that even beginners can use' is circulating in large quantities on the dark web
News reports of cyber attacks using ransomware tend to portray them as being carried out by highly specialized actors, such as 'nation-sponsored criminal groups.' However, a survey by security company
'Junk gun' ransomware: Peashooters can still pack a punch – Sophos News
https://news.sophos.com/en-us/2024/04/17/junk-gun-ransomware-peashooters-can-still-pack-a-punch/
There are two types of attacks using ransomware: one where the ransomware developer also carries out the attack, and one where the developer purchases the ransomware from another developer and carries out the attack. Ransomware is sold in various forms, but in recent years the mainstream form of sales, called ' Ransomware as a Service Explained (RaaS) ,' in which a portion of the ransom obtained from a ransomware attack is paid as a fee, is becoming more widespread.
However, when Sophos investigated dark web forums where 'low-skilled criminal groups' gather, it was found that many of the low-skilled criminal groups purchase 'cheap, one-time purchase ransomware.' Some of these cheap ransomware contain flaws or backdoors that can cause damage to the attacker themselves. For this reason, Sophos calls the type of cheap ransomware purchased by low-skilled criminal groups 'junk gun ransomware,' likening it to a cheap, low-quality gun (junk gun).
Sophos discovered a total of 19 types of junk gun ransomware on four forums between June 2023 and February 2024. These included free ones developed with open source and inexpensive ones costing tens of dollars (several thousand yen). Information on the junk gun ransomware discovered by Sophos is as follows.
| name | Posting time | situation | price | Language |
|---|---|---|---|---|
| CatLogs | December 2023 | Sale | not clear | .NET |
| Name unknown | November 2023 | under development | - | C# |
| Custom RaaS | July 2023 | Sale | $200 | not clear |
| Diablo | January 2024 | Sale | $50/month | not clear |
| Evil Extractor | December 2023 | Sale | $99-$199/month | not clear |
| HardShield | September 2023 | Open Source | free | C++ |
| Jigsaw | June 2023 | Sale | $500 | .NET |
| Kryptina | December 2023 | Sale | Single build: $20 Source code: $800 | C |
| Lolicrypt | August 2023 | Sale | $1000 | not clear |
| Loni | July 2023 | Sale | $999/month $9999/one-time purchase | C |
| Nevermore | October 2023 | Sale | $250 | C# |
| RansomTuga | June 2023 | Open Source | free | C++ |
| Yasmha | February 2024 | Sale | $500 | C# |
| Ergon | September 2023 | Sale | 1 Compilation: 0.5BTC Source code: 2.5BTC | not clear |
| Name unknown | September 2023 | under development | - | Go |
| Name unknown | July 2023 | Sale | $1000 | C++ |
| Name unknown | January 2024 | Sale | $60 | not clear |
| Name unknown | February 2024 | Sale | $50 | Python |
| Name unknown | June 2023 | Sale | $500 | not clear |
According to Sophos, while many well-known ransomware use sophisticated logos and interfaces, JunkGun ransomware uses 'shoddy and amateurish logos and interfaces.' For example, here is the logo used by Lolicrypt:
Sophos also notes that well-known ransomware is shifting to development in Rust and Go. Sophos points out that 'Junk Gun ransomware is developed in relatively easy-to-learn languages such as C# and .NET,' and speculates that Junk Gun ransomware is developed by relatively inexperienced programmers.
Related Posts:
