{"id":24338,"date":"2024-04-17T03:20:57","date_gmt":"2024-04-17T11:20:57","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/04\/17\/news-18068\/"},"modified":"2024-04-17T03:20:57","modified_gmt":"2024-04-17T11:20:57","slug":"news-18068","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/04\/17\/news-18068\/","title":{"rendered":"‘Junk gun’ ransomware: Peashooters can still pack a punch"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 17 Apr 2024 10:00:08 +0000<\/strong><\/p>\n

\n

In the 1960s and \u201970s, the US firearms market saw an influx of cheaply-made, imported handguns. Legislators targeted<\/a> the proliferation of these inexpensive and frequently unreliable weapons, ostensibly because they were believed to pose a risk to their owners and facilitate criminality. This was not an issue unique to the US or to that time period, of course; in the UK, where handguns are now strictly regulated, criminals often resort to reactivated, or even home-made or antique, firearms<\/a>.<\/p>\n

Despite \u2018junk guns\u2019 often being inaccurate and prone to malfunction, purchasing or creating them does have advantages for a would-be criminal. Such weapons are unlikely to be on law enforcement\u2019s radar, and can be difficult to trace. They tend to be cheap, lowering the cost of entry to illicit ownership and usage. And they can often be made or obtained without needing access to extensive criminal networks.<\/p>\n

During a recent investigation into several underground cybercrime forums \u2013 particularly those frequented by lower-skilled threat actors \u2013 Sophos X-Ops discovered something interesting: a ransomware equivalent to junk guns.<\/p>\n

We found multiple examples of independently produced, inexpensive, and crudely-constructed ransomware, mostly sold as a one-time purchase rather than typical affiliate-based Ransomware-as-a-Service (RaaS)<\/a> models (and none of the \u2018junk-gun ransomware\u2019 we found appears on the ransomwatch group index<\/a> as of this writing). This appears to be a relatively new phenomenon (although, of course, threat actors have been creating and selling cheap, low-quality RATs and other malware for decades). We also saw other threat actors, a rung or two down the skills ladder, express interest in developing new ransomware \u2013 swapping tips on languages, evasion techniques, targets, and licencing models.<\/p>\n

At first glance, the prospect of individuals making and selling junk-gun ransomware doesn\u2019t seem to pose a significant threat; it\u2019s a far cry from the notorious, well-organized ransomware groups that usually come to mind. Here, there are no leak sites; no initial access brokers (IABs)<\/a>; no affiliates; no corporate-like hierarchies<\/a>; no multi-million dollar ransom demands; no publicity stunts<\/a>; no high-profile targets; no sophisticated malware intended to defeat advanced EDR products<\/a>; no seeking headlines and media attention<\/a>; and little in-depth analysis by researchers.<\/p>\n

But as we dug deeper, we uncovered some concerning intelligence. Some individuals claimed to have used junk-gun ransomware in real-world attacks, completing the entire attack chain by themselves, without IABs. Others advocated using it to attack small businesses and individuals \u2013 targets that the likes of Cl0p and ALPHV\/BlackCat would probably not consider worthwhile, but which could nevertheless generate significant profit for an individual threat actor. Some users claimed to prefer standalone ransomware because they don\u2019t have to profit-share \u2013 as in many RaaS models \u2013 or rely on infrastructure developed and operated by others.<\/p>\n

Away from the complex infrastructure of modern ransomware, junk-gun ransomware allows criminals to get in on the action cheaply, easily, and independently. They can target small companies and individuals, who are unlikely to have the resources to defend themselves or respond effectively to incidents, without giving anyone else a cut.<\/p>\n

Of course, junk-gun ransomware may occasionally blow up in threat actors\u2019 faces \u2013 it may be defective, trigger alerts, or be backdoored as part of a scam<\/a> \u2013 or their own lack of experience may result in failure or detection. In their minds, however, these are likely acceptable risks \u2013 not least because using junk-gun ransomware may eventually lead to more lucrative employment opportunities with prominent ransomware gangs.<\/p>\n

In this article we\u2019ll reveal our findings, share details of the junk-gun ransomware we found, and discuss the implications for organizations, the wider public, and the security community.<\/p>\n

Off-the-shelf junk-gun ransomware<\/h1>\n

We observed 19 junk-gun ransomware varieties either offered for sale or cited as being under development, across four forums, between June 2023 and February 2024. Our findings are summarized in the table below.<\/p>\n

Table 1: An overview of the off-the-shelf junk-gun ransomware varieties we observed on four criminal forums, between June 2023 and February 2024<\/em><\/p>\n

Cheap and cheerless<\/h2>\n

Of the 19 varieties we found, one had no price listed, two were open-source, and two were under active development and therefore had no price listed. Prices for the remaining 14 ranged from $20 (for a single build of Kryptina; we later noted that the Kryptina developer released their ransomware for free after struggling to make sales) to 0.5 BTC, or approximately $13,000 at the time of the posting.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: One of the adverts for Kryptina<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 2: A screenshot showing a build of Kryptina, provided by the seller as part of their promotional materials<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 3: An advert for an unnamed junk-gun ransomware written in C++, offered for sale on a criminal forum<\/em><\/p>\n

That 0.5 BTC price (for a single build of Ergon) appears to be something of an outlier, however. The median average price across all varieties was $375, and the mode was $500. The mean average was $1,302 including Ergon, but $402.15 without. That\u2019s notably cheap, given that some RaaS affiliates reportedly pay up to thousands of dollars<\/a> for access to kits (although note that some kits cost much less).<\/p>\n

\"A<\/a><\/p>\n

Figure 4: A post promoting the Ergon ransomware. Note the claim that Ergon \u201chas been used in multiple attacks with extremly [sic] high <\/strong>success rate [emphasis in original].\u201d We\u2019ll cover in-the-wild junk-gun ransomware attacks shortly<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 5: As well as its high price, Ergon was also an outlier in that its developer(s) asked for 10% of any revenue from attacks; we didn\u2019t see this sort of stipulation anywhere else during our research<\/em><\/p>\n

Most junk-gun ransomware was available for a single, one-off price. Only three adopted any sort of subscription model (Diablo, with licences at $50 per month; Evil Extractor, at $99 – $199 per month depending on the selected \u2018plan\u2019; and Loni, at $999 per month or $9,999 for a lifetime licence). Both Kryptina and Ergon also offered source code at a premium cost, relative to the price of a single build ($800 for Kryptina, and 2.5BTC, or about $39,000, for Ergon).<\/p>\n

\"A<\/a><\/p>\n

Figure 6: A post advertising the Diablo ransomware, with a subscription price of $50 per month<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 7: The available \u2018packages\u2019 for Evil Extractor<\/em><\/p>\n

Interestingly, at least two examples of junk-gun ransomware \u2013 Diablo and Jigsaw \u2013 use names associated with historic ransomware families. Diablo was a variant of Locky in 2017<\/a>, and Jigsaw (previously BitcoinBlackmailer) was released in 2016<\/a>. This may be a coincidence, and neither seller stated that their ransomware was linked to these earlier families. That didn\u2019t stop some users wondering if there was a connection, particularly in the case of Jigsaw \u2013 although the seller denied this.<\/p>\n

\"A<\/a><\/p>\n

Figure 8: The Jigsaw seller\/developer denies being connected to \u201cthe old jigsaw\u201d ransomware<\/em><\/p>\n

It\u2019s possible that these threat actors are deliberately using the names of earlier, well-known ransomware to benefit from \u2018brand recognition\u2019 and give their junk gun variants an air of \u2018legitimacy\u2019 \u2013 despite the fact that they may be counterfeits.<\/p>\n

In any case, it appears that at least some junk-gun ransomware developers are making money from their products. While the Kryptina developer admitted that they had struggled to turn a profit, the Nevermore developer said that they had made \u201cmore than I expected\u201d from ransomware.<\/p>\n

\"A<\/a><\/p>\n

Figure 9: The Nevermore developer answers some questions from a forum user, including how much money they\u2019ve made from ransomware<\/em><\/p>\n

It\u2019s worth noting at this juncture that some junk-gun ransomware may well be a scam. We\u2019ve previously reported on criminals defrauding and hacking each other<\/a> in a variety of ways on marketplaces \u2013 including \u2018rip and run\u2019 scams and backdoored malware \u2013 and it\u2019s entirely possible that some of the variants we discuss here are schemes in this vein. We only found one allegation of this nature, however.<\/p>\n

\"A<\/a><\/p>\n

Figure 10: A screenshot of an unnamed junk-gun ransomware, posted to a forum as part of a listing. Despite the window title of \u201cRansomware-As-A-Service\u201d, we didn\u2019t observe any indication of any common RaaS-type revenue models or features with this product, and it was offered at a standalone price of $200<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 11: A user alleges that this ransomware is a scam and that they were defrauded to the tune of $149 USDT (Tether)<\/em><\/p>\n

However, even affiliates of prominent ransomware families<\/a>, operating under common RaaS models, run the risk of being scammed by RaaS operators<\/a>. Standalone junk-gun ransomware may therefore be the lesser of two evils in the minds of some less-experienced threat actors, as it can provide them with more independence and control.<\/p>\n

Languages<\/h2>\n

12 of the 19 adverts included details about the development language and\/or framework, either in the initial post or in subsequent discussions. Interestingly, .NET\/C# was the most popular (five variants), with C++ accounting for three, two in C, and Python and Go one each.<\/p>\n

\"A<\/a><\/p>\n

Figure 12: A user solicits development advice for an ongoing ransomware project written in Go. Note the aspiration to make the ransomware \u201csimilar to the APT Players such as BlackCat, PLAY, Black Basta\u201d<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 13: Most junk-gun ransomware we observed, however, appeared to have been written in C#\/.NET<\/em><\/p>\n

This would seem to be at odds with \u2018traditional\u2019 malware and ransomware (often written in C or C++), and more modern strains (several ransomware families, including BlackCat and Hive<\/a>, shifted to Rust and Go<\/a>). It\u2019s not entirely surprising, however; C# and .NET tend to have a shallower learning curve than many programming languages and frameworks, and may therefore be more attractive to less experienced developers.<\/p>\n

Perhaps in keeping with this, virtually all the junk-gun ransomware we saw \u2013 with the exception of Evil Extractor \u2013 lacked the slick graphics and branding<\/a> associated with more prominent ransomware. In the majority of cases, logos and interfaces were crude and amateurish (and some varieties were deliberately unbranded and unnamed, and so had no logos at all).<\/p>\n

\"A<\/a><\/p>\n

Figure 14: The Lolicrypt logo<\/em><\/p>\n

Features<\/h2>\n

The advertised capabilities of junk-gun ransomware varied widely. We observed a range of cited encryption methods, although AES-256 and\/or RSA-2048 were, unsurprisingly given their ubiquity, the most popular, appearing in seven of the ten listings in which threat actors provided this detail. However, we also saw some relatively rare algorithms, including Chacha20<\/a>, XTEA<\/a>, and Salsa20<\/a>.<\/p>\n

\"A<\/a><\/p>\n

Figure 15: A promotional post for Loni, referring to the use of the XTEA cipher. Loni was notable for the amount of technical information provided about its features<\/em><\/p>\n

Four varieties (Evil Extractor; CatLogs; Nevermore; and RansomTuga) bundled other capabilities, such as infostealing and\/or keylogging, along with ransomware functionality. With regards to ransomware-related features, only three varieties referred to deletion of volume shadow copies (a well-known ransomware tactic<\/a>), which was somewhat surprising \u2013 although six mentioned multi-threaded encryption (another very common tactic<\/a>, which increases the speed of encryption).<\/p>\n

\"A<\/a><\/p>\n

Figure 16: A post advertising the CatLogs junk-gun ransomware, which bundles multiple other features<\/em><\/p>\n

Only one variety, Kryptina, was described as specifically targeting Linux operating systems, although both the Lolicrypt and Loni developers stated that they had introduced cross-platform capabilities or Linux-specific variants.<\/p>\n

\"A<\/a><\/p>\n

Figure 17: The Lolicrypt developer claims that their ransomware has cross-platform capabilities<\/em><\/p>\n

Going against the grain, only Loni claimed to have remote encryption capabilities<\/a>. This perhaps illustrates how low-quality and crude most junk-gun ransomware is, being limited to local encryption, whereas many major ransomware families are capable of remote encryption.<\/p>\n

Just two adverts (an unnamed variety, and Evil Extractor) mentioned any kind of anti-VM or anti-debugger features.<\/p>\n

\"A<\/a><\/p>\n

Figure 18: A feature list for an unnamed junk-gun ransomware includes references to \u201cAnti Virtual Machine\u201d and \u201cAnti Debugger\u201d capabilities<\/em><\/p>\n

We did note that some junk-gun ransomware developers appear to have ambitions to eventually evolve their projects into more complex offerings. The Loni developer, for example, argued that their ransomware is superior to RaaS schemes because there\u2019s no need to profit-share, pay affiliate joining fees, or run the risk of RaaS operators interfering with negotiations and payments.<\/p>\n

\"A<\/a><\/p>\n

Figure 19: The Loni developer makes an argument for their product versus RaaS schemes. Note the reference to RaaS operators scamming affiliates, which we alluded to earlier<\/em><\/p>\n

However, the developer later mentioned that when they have collected enough funds, they will \u201cscale up infrastructure and launch a data leak site\u201d \u2013 thereby creating a sort of hybrid of a conventional RaaS infrastructure and junk-gun ransomware.<\/p>\n

\"A<\/a><\/p>\n

Figure 20: The Loni developer reveals ambitions to later launch a data leak site, as well as promising buyers \u201csupport and\u2026new features\u201d<\/em><\/p>\n

We also saw an advert which appeared to mimic some of the \u2018affiliate rules\u2019 stipulated by prominent ransomware families. In one post, for an unnamed junk-gun ransomware, the developer listed \u201cforbidden targets\u201d, including hospitals and governments. However, this advert appeared to be for standalone ransomware, so it\u2019s unclear how these rules would be enforced.<\/p>\n

\"A<\/a><\/p>\n

Figure 21: A junk-gun ransomware advert specifies \u201cforbidden targets\u201d<\/em><\/p>\n

In the wild?<\/h2>\n

It\u2019s difficult to assess the extent to which most junk-gun ransomware has been used in real-world attacks. One of its major selling points is that little or no supporting infrastructure is required, and this includes leak sites \u2013 so there is no central source of information for researchers and investigators to monitor. Moreover, if buyers are targeting small businesses and individuals, such incidents are unlikely to be publicized to the same extent as those involving higher-profile organizations.<\/p>\n

Threat actors are also unlikely to discuss attacks on \u2018public\u2019 forums, particularly if they were directly involved in those attacks. And it\u2019s difficult to obtain technical information, such as hashes and other IOCs, without either purchasing the ransomware or investigating known incidents \u2013 so it\u2019s hard to determine if we\u2019ve seen any of these varieties before, under different names or identities.<\/p>\n

However, we do know that threat actors have used Evil Extractor \u2013 to our knowledge, the only example that has received any in-depth coverage \u2013 in real-world attacks<\/a>. We also observed claims \u2013 two from sellers, one from a buyer \u2013 that three variants (Ergon, Loni, and Lolicrypt) have been used in the wild, but we were unable to obtain any further information.<\/p>\n

\"A<\/a><\/p>\n

Figure 22: A Lolicrypt buyer claims that they have \u201cbeen using it for a bit, works as advertised\u201d<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 23: The Loni developer states that Loni \u201chas been tested in real-world attacks\u201d<\/em><\/p>\n

Detections<\/h2>\n

When threat actors advertise malware on criminal forums, they often include detection rates from online scanners, either in the form of a number or a screenshot. While these results are almost always related to static, rather than dynamic, detections, the criminal community often regards them as something of a quality benchmark. Threat actors may use a zero-detection rate (popularly known as \u2018FUD\u2019: \u2018fully undetected\u2019 or \u2018fully undetectable\u2019), for example, as a selling point, even if that figure doesn\u2019t necessarily mean much in the context of real-world attacks.<\/p>\n

Six of the 19 adverts referred to some form of detection \u2013 three mentioning Windows Defender specifically (either in the context of detections or bypasses), and three referring to detections by multiple security products in online scanners.<\/p>\n

\"A<\/a><\/p>\n

Figure 24: The Yasmha developer responds to criticism of their initial advert by including details about the language and detection rate<\/em><\/p>\n

However, as we noted earlier, even a relatively high detection rate isn\u2019t necessarily a dealbreaker when it comes to junk-gun ransomware. Small businesses and individuals may not always have security products, or may not have configured them correctly, or may not adopt best practice when an alert is triggered \u2013 and many threat actors know this.<\/p>\n

\"A<\/a><\/p>\n

Figure 25: A user claims to be targeting \u201c5-6 companies with no IT security at all\u201d<\/em><\/p>\n

Known ransomware and RaaS schemes<\/h1>\n

In addition to relatively unknown junk-gun ransomware, we also found better-known ransomware on the forums, albeit all relatively new or lower-tier families. We grouped these examples into three categories: builders or source code for sale or distribution; recruitment opportunities; and requests for assistance with development.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Name<\/td>\nDate posted<\/td>\nType<\/td>\nPrice<\/td>\n<\/tr>\n
Insane<\/td>\nJanuary 2024<\/td>\nDevelopment request \/ affiliate recruitment<\/td>\nN\/A<\/td>\n<\/tr>\n
DJVU<\/td>\nJanuary 2024<\/td>\nBuilder for sale<\/td>\nUnknown<\/td>\n<\/tr>\n
Zeppelin<\/td>\nJanuary 2024<\/td>\nSource code<\/td>\nUnknown<\/td>\n<\/tr>\n
Endurance<\/td>\nNovember 2023<\/td>\nAffiliate recruitment \/ builder for sale<\/td>\n$850<\/td>\n<\/tr>\n
Chaos<\/td>\nJune 2023<\/td>\nBuilder for sale<\/td>\nUnknown<\/td>\n<\/tr>\n
Qilin<\/td>\nSeptember 2023<\/td>\nAffiliate recruitment<\/td>\nN\/A<\/td>\n<\/tr>\n
qBit<\/td>\nSeptember 2023<\/td>\nBuilder for sale \/ development request<\/td>\nUnknown, released for free December 2023<\/td>\n<\/tr>\n
Black Snake<\/td>\nJune 2023<\/td>\nAffiliate recruitment<\/td>\nN\/A<\/td>\n<\/tr>\n
Hakuna Matata<\/td>\nJuly 2023<\/td>\nBuilder for sale\/distribution<\/td>\nUnknown<\/td>\n<\/tr>\n
LMAO<\/td>\nJune 2023<\/td>\nBuilder for sale\/distribution<\/td>\nUnknown<\/td>\n<\/tr>\n
Unknown<\/td>\nJuly 2023<\/td>\nAffiliate recruitment<\/td>\nN\/A<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 2: Known ransomware on the four criminal forums we investigated<\/em><\/p>\n

Note that we include \u2018yasmha\u2019 in the junk-gun ransomware section, rather than this one, because the poster explicitly stated that it is a variant of Yashma ransomware<\/a> (the spelling mistake appears to be deliberate, or at least consistent across multiple posts). Conversely, the threat actors offering builders and source code for DJVU<\/a> (a variant of STOP), Zeppelin<\/a>, Endurance<\/a>, Chaos<\/a> (the predecessor to Yashma), qBit<\/a>, Hakuna Matata<\/a>, and LMAO<\/a> (a variant of Chaos) did not state that their products are novel, customized variants.<\/p>\n

\"A<\/a><\/p>\n

Figure 26: An advert for DJVU ransomware on a criminal forum<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 27: A screenshot of the Hakuna Matata ransomware builder, which was offered for sale\/distribution on a forum<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 28: A promotional post for Insane ransomware, including a request for development assistance<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 29: Insane\u2019s leak site, with a notably garish old-school aesthetic<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 30: A recruitment advert by the Qilin ransomware gang<\/a>. Note the use of the term \u201cpentesters\u201d, which threat actors often use as a euphemism for affiliates and\/or IABs on criminal forums<\/em><\/p>\n

Finally, we also observed a recruitment campaign by an as-yet-unknown ransomware family, TrapTight.<\/p>\n

\"A<\/a><\/p>\n

Figure 31: A recruitment campaign by a new \u2018start-up\u2019 ransomware family, TrapTight<\/em><\/p>\n

And another by an unnamed ransomware gang:<\/p>\n

\"A<\/a><\/p>\n

Figure 32: An unnamed ransomware family seeks \u201cpentesters\u201d to target \u201cmedium\/big corporation\u201d [sic]<\/em><\/p>\n

Threat actors on lower-tier criminal forums therefore seem to have a few options when it comes to getting involved in ransomware. The cheapest, most common, and most straightforward route appears to be the \u2018self-starter\u2019 approach: purchasing junk-gun ransomware for a one-off price, and deploying it as they see fit. Alternatively, threat actors could purchase a builder for a better-known ransomware variant \u2013 something that has been tried and tested already in real-world attacks.<\/p>\n

On the other hand, if a threat actor is looking to develop ransomware themselves, or to join an affiliate scheme, but is not skilled or experienced enough to apply to the big leagues, they can seek employment with known secondary ransomware families, possibly as a precursor to joining better-known schemes. Or, if that\u2019s too much of a stretch, they could apply to join a brand-new family like TrapTight.<\/p>\n

Intentions, tutorials, and targets<\/h1>\n

While it\u2019s often difficult to ascertain if threat actors have used junk-gun ransomware in the wild, it is clear that some have ambitions to do so. For instance, one individual claimed to have bought the Nevermore builder, and was looking to \u201cransom any computer\/server with important files either owned by companies or individuals.\u201d The threat actor went on to say that they were considering looking on Shodan \u2013 a search engine which indexes service banners, allowing users to find specified kinds of devices and services \u2013 to identify vulnerable RDP and SSH servers, an approach similar to that an IAB might take<\/a>.<\/p>\n

\"A<\/a><\/p>\n

Figure 33: A user seeks to spread the Nevermore ransomware<\/em><\/p>\n

This interest in target selection is something we saw elsewhere, too; one user sought advice on how to identify \u201ca suitable target\u2026I\u2019ve considered highschools [sic] \/ universities\u201d and asked for tips on \u201cpossible targets, in terms of possible gain, lack of backups, chance of foothold.\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 34: A forum user asks for tips on identifying targets<\/em><\/p>\n

Another user said that they had already compromised a network, but had \u201cnever deployed a ransomware [sic] before\u201d and asked other forum users for advice or a \u201ctutorial.\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 35: After compromising a network, a user confesses that they don\u2019t know how to deploy ransomware<\/em><\/p>\n

A user on another forum had a similar issue:<\/p>\n

\"A<\/a><\/p>\n

Figure 36: A user claims to have access to a company, but asks for assistance on distributing ransomware<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 37: A user (who claims to be relatively knowledgeable) asks for help on how to \u201cinfect people with my ransomware\u201d<\/em><\/p>\n

On the subject of guidance, we observed multiple users requesting and sharing copies of so-called \u201cransomware manuals\u201d, including guides written by Bassterlord, a prominent ransomware operator and IAB<\/a>, and the \u201cConti manuals<\/a>\u201d, leaked in 2021. Evidently, such users are seeking to learn from, and emulate, prominent ransomware actors.<\/p>\n

\"A<\/a><\/p>\n

Figure 38: A user shares a copy of one of Bassterlord\u2019s manuals<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 39: A user confesses to being \u201cconfused\u201d about how to configure ransomware and asks for a manual<\/em><\/p>\n

In other cases, users created and shared their own guides:<\/p>\n

\"A<\/a><\/p>\n

Figure 40: A user shares their own guide on developing and spreading ransomware<\/em><\/p>\n

Some users explicitly advocated targeting small businesses and individuals, and sought tips on how to contact them after ransomware deployment; how much money to ask for and in what cryptocurrency; and how to launder the proceeds.<\/p>\n

\"A<\/a><\/p>\n

Figure 41: A user seeks advice on how to target small businesses<\/em><\/p>\n

Another user, in response to a peer contending that \u201cnormal computer users\u201d would not pay ransoms, argued: \u201cI believe it is reverse [sic]\u2026big techs wont [sic] pay\u2026but some normies do.\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 42: As part of a spirited debate on a criminal forum, a user argues that \u201cbig techs wont [sic] pay\u2026but some normies do\u201d<\/em><\/p>\n

One ransomware developer took a more aggressive approach. In their advert, they noted that \u201cthere is no decryption key\u2026once payment is made block the person.\u201d They go on to say that this ransomware is \u201cdesigned\u2026to target specific people such as Scammers, Low Life\u2019s [sic], etc\u2026\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 43: A junk-gun ransomware developer notes that their product includes no possibility of decryption \u2013 in other words, victims can pay, but will not be able to recover their files<\/em><\/p>\n

In another particularly interesting post, the developer behind Nevermore suggested an alternative approach to orthodox infection strategies: physical access. They advocated putting ransomware on a USB stick; obtaining access to a device (\u201cit could be that annoying neighbor or someone that you work for\u201d); turning off any security products; and then executing the ransomware. \u201cAs long as you avoid witnesses and cameras\u201d, the threat actor went on to say, \u201cthere is no [sic] much evidence to be used against you.\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 44: The Nevermore developer suggests combining physical access with ransomware for \u201ceasy money\u201d<\/em><\/p>\n

A user commented that this approach \u201cwould be valid only on small corps, [too risky] to try it on any medium sized company\u201d, and suggested combining this tactic with social engineering to gain access to premises.<\/p>\n

The Nevermore developer agreed, adding that \u201cyou would be surprised with [sic] the number of people that leave their laptop\/pc alone and unlocked and go to the bathroom.\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 45: Forum users discuss possible approaches for \u2018physical access ransomware\u2019<\/em><\/p>\n

Aspirations<\/h1>\n

While the forums we investigated for this research are frequented by lower-tier threat actors, we observed an interesting nuance. Below the buyers and sellers of junk-gun ransomware, there is an even lower tier \u2013 those who are still not yet at the stage of developing their own ransomware, but aspire to do so.<\/p>\n

We noted several instances of users soliciting tips on which languages to use, or people who had begun coding ransomware projects but, as in one of the examples below, were \u201cconfused about what to do next.\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 46: A user seeks advice on \u201cthe most suitable language\u201d for developing ransomware<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 47: A user wonders if writing ransomware in Java is worthwhile<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 48: Users debate the relative merits of writing ransomware in C#. Interestingly, we also observed some users advising others to use Python, although the reception to that suggestion was mixed<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 49: A user asks for help with developing their \u201cRaaS panel\u201d<\/em><\/p>\n

In a few instances we also saw users who had an idea for different projects, but weren\u2019t sure if they were feasible.<\/p>\n

\"A<\/a><\/p>\n

Figure 50: A user solicits opinions on worm-based ransomware<\/em><\/p>\n

In other cases, users who had presumably overcome these hurdles to create working code were still at a loss as to the next stage. These users asked for advice on how to licence their malware, how much to sell it for \u2013 and even how<\/em> to sell it in the first place.\"A<\/a><\/p>\n

Figure 51: A user asks for help in understanding how malware licencing works. One response, interestingly, draws parallels with prominent tech firms<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 52: A user wonders \u201chow to set a price for\u2026malware\u201d<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 53: This user was confused about how to start selling their malware, let alone set a price or figure out a licencing model<\/em><\/p>\n

Tracking tiers<\/h1>\n

While it\u2019s no surprise that there are \u2018script kiddies\u2019 on criminal forums, this sub-tier of would-be ransomware actors is still noteworthy. On higher-profile, Russian-language cybercrime forums \u2013 those frequented by prominent and prolific IABs, malware developers, and ransomware affiliates \u2013 the questions shown above would be at best ignored, and at worst ridiculed. (And might, of course, fall foul of the ban on commercial ransomware posts on some major forums<\/a> following the 2021 Colonial Pipeline attack<\/a> \u2013 although many users have circumvented the ban<\/a>, and the extent to which it is observed and enforced appears to vary).<\/p>\n

But on the forums we\u2019ve discussed here, users are less apprehensive about revealing their ignorance, because those sites cater almost exclusively to less-skilled threat actors. There\u2019s a tacit understanding that these are not gatherings of the elite, or even of professionals, but are instead intended for individuals who aspire to develop their abilities, to the point where they can acquire a piece of the pie for themselves.<\/p>\n

While much criminal marketplace research focuses, not unreasonably, on higher-tier Russian-language sites (a topic for another article, but Russian \u2013 specifically fenya<\/a> \u2013 is arguably the prestige language<\/a> in the cybercrime underground), there\u2019s also a benefit to monitoring lower-tier, English-language forums. Sites like this may well produce the next generation of threat actors. The relatively low-quality ideas and projects featured on them now could evolve into more sophisticated threats over time, as threat actors\u2019 capabilities and confidence grow.<\/p>\n

There\u2019s also an argument that lower-tier English-language forums may serve as the first step of a career development path for some threat actors. The graphic below illustrates the tiers we observed in our investigation, and how a threat actor might advance through them. Users begin by asking basic questions, and trying to code rudimentary ransomware and malware themselves. They may then graduate to buying junk-gun ransomware, or developing, sharing, and selling it \u2013 perhaps, as we saw with Loni, with ambitions to eventually turn their projects into more complex schemes.<\/p>\n

\"A<\/a><\/p>\n

Figure 54: An illustration of the various tiers of capability, ambition, and potential career development for ransomware actors<\/em><\/p>\n

Above that tier are recruitment and development opportunities with emerging and secondary ransomware families \u2013 which have organized RaaS schemes; tried-and-tested malware; pre-existing infrastructure; and a proven track record of real-world attacks. And then, at the apex, are the prominent, household-name ransomware groups \u2013 the tier to which threat actors can aspire once they\u2019ve paid their dues, gained experience, and made a name for themselves.<\/p>\n

It’s therefore important to view junk-gun ransomware not just as an interesting phenomenon in and of itself, but as a component of the wider ransomware ecosystem, and as a potential route to bigger and better opportunities for its creators, buyers, and users. As such, it\u2019s worthwhile tracking junk-gun ransomware and the individuals involved with it. Not only do they pose a threat to small businesses and individuals now, but as time goes on, at least some of them will likely become increasingly capable of inflicting damage on a larger scale.<\/p>\n

Conclusion<\/h1>\n

Because junk-gun ransomware seems to be a nascent development, we\u2019ll be keeping an eye on it. It may signal a move towards a further fracturing of the ransomware market, and perhaps even impending market saturation. Or it may be that ransomware continues to shift into several distinct tiers: high-profile groups target high-profile organizations, while the \u2018scraps\u2019 \u2013 small businesses and individuals \u2013 are left for lower-tier threat actors. Those lower-tier actors, who are currently making and selling junk-gun ransomware, may in time \u2018move up the ranks\u2019 and be recruited as developers or affiliates by larger, more professional outfits.<\/p>\n

To some extent, junk-gun ransomware is likely also simply a reflection of capitalism in action. Like any other market, supply will expand to meet demand, and would-be profiteers will flock to whatever services and products are generating the most money \u2013 and carve out niches for themselves as they do so. While we focused on ransomware for this research, it\u2019s likely the same story for infostealers, RATs, and cryptominers: lower-quality products and actors at the bottom of the pile, hoping to eventually filter through to the top.<\/p>\n

What is clear, however, is that junk-gun ransomware poses unique challenges to small businesses, the wider public, and the security community. We observed threat actors explicitly referring to attacks against smaller companies and individuals \u2013 even as they tried to determine which types of company to target, and how much ransom to demand \u2013 because such targets are typically less well-defended, less informed, and less prepared.<\/p>\n

Meanwhile, junk-gun ransomware presents the security industry with several problems. It\u2019s difficult to obtain samples of junk-gun ransomware; to determine the extent to which it has been used in the wild; and to track new variants. Threat actors will also sometimes adopt the \u2018brand names\u2019 of known ransomware families, possibly to exploit their reputations \u2013 something which can cause confusion amongst researchers. Crucially, there\u2019s also less threat intelligence about junk-gun ransomware, because the forums on which it proliferates are not always heavily monitored by researchers \u2013 resulting in an intelligence gap. Of course, both businesses and security researchers must devote time and resources to tracking numerous threats, some higher priority than others, and which vary according to risk profiles, sectors, geography, and other factors \u2013 so there\u2019s a balance to be struck.<\/p>\n

However, tracking junk-gun ransomware, and those who are, at least currently, on the periphery of the ransomware ecosystem, can provide valuable insights into both individual threats, and potential future trends in the wider threat landscape. Monitoring specific ransomware variants can help to protect small businesses and individuals now, while tracking sellers, buyers, and capabilities can provide insight into the development of threats and threat actors over time.<\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Matt Wixey| Date: Wed, 17 Apr 2024 10:00:08 +0000<\/strong><\/p>\n

A Sophos X-Ops investigation finds that a wave of crude, cheap ransomware could spell trouble for small businesses and individuals \u2013 but also provide insights into threat actor career development and the wider threat landscape<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[31287,129,31288,3765,11096,27030,16771],"class_list":["post-24338","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cybercrime-forums","tag-featured","tag-junk-gun","tag-ransomware","tag-small-business","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24338","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24338"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24338\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}