Sophos’s recent analysis of the ransomware landscape has uncovered a notable departure from the conventional Ransomware-as-a-Service (RaaS) model, signaling a potential shift towards cheaper and more accessible off-the-shelf ransomware variants. This shift is exemplified by the emergence of what Sophos refers to as “junk gun” ransomware variants, which have gained prominence since June 2023.
These “junk gun” variants represent a departure from the sophisticated and service-oriented approach of traditional RaaS offerings. Instead, they are characterized by their affordability, simplicity, and independence from ongoing service provision. Unlike RaaS, where hackers lease access to ransomware tools and share profits with the developers, these new variants can be acquired for a one-time fee, allowing hackers to retain full control over their operations and potential profits. Remarkably, the cost of these “junk gun” ransomware variants is significantly lower than that of their RaaS counterparts, with an average price of just $375. This affordability makes them an attractive option for cybercriminals seeking to enter the ransomware arena without substantial financial investment.
Furthermore, Sophos identifies a growing dissatisfaction among threat actors with the revenue-sharing arrangements inherent in RaaS models. This discontent has been exacerbated by high-profile incidents such as the Change Healthcare ransomware attack, where hackers absconded with a $20 million ransom payment, leaving the victim empty-handed. Such incidents underscore the risks associated with RaaS partnerships and may drive cybercriminals towards more independent and cost-effective alternatives.
Interestingly, these cheaper ransomware variants are predominantly found on English-language dark web forums, diverging from the Russian-speaking forums typically associated with established ransomware families. This accessibility and localization cater to a broader audience of cybercriminals, including those with limited technical expertise or resources.
Christopher Budd, director of threat research at Sophos, observes that the ransomware landscape is undergoing a period of transformation. The disappearance of major ransomware operators and growing dissatisfaction among affiliates suggest a potential evolution in ransomware tactics and business models. The rise of these “junk gun” variants may herald a new era in ransomware, catering to cybercriminals focused on profit rather than reputation-building. As cybercrime continues to evolve, adaptability and innovation among threat actors remain key factors shaping the landscape.