Cheap ransomware is being sold for one-time use on dark web forums, allowing inexperienced freelancers to get into cybercrime without any interaction with affiliates. 

Researchers at the intelligence unit at the cybersecurity firm Sophos found 19 ransomware varieties being offered for sale or advertised as under development on four forums from June 2023 to February 2024. 

They compared the cybercrime tools to “junk guns” — cheap, imported handguns that flooded the U.S. in the 1960s and 1970s. While the weapons were often unreliable, they offered certain advantages like low barriers to entry and little traceability. 

Those same advantages apply for would-be cybercriminals in the market for ransomware starter kits. The varieties researchers observed ranged from $20 to 0.5 bitcoin, or approximately $13,000 at the time it was posted. The median average price was $375. 

The one-off cybercrime  tools differ from ransomware-as-a-service models because there are no affiliates involved who expect a cut of the profits. 

“Away from the complex infrastructure of modern ransomware, junk-gun ransomware allows criminals to get in on the action cheaply, easily, and independently,” researchers said. “They can target small companies and individuals, who are unlikely to have the resources to defend themselves or respond effectively to incidents, without giving anyone else a cut.”

While this freedom may sound appealing, as is the case with cheap unlicensed handguns there are risks:  namely, that the tools themselves are either defective or “backdoored as part of a scam.”

In would-be criminals’ minds, however, “these are likely acceptable risks – not least because using junk-gun ransomware may eventually lead to more lucrative employment opportunities with prominent ransomware gangs,” they wrote. 

The efficacy of these tools in the wild is unclear. There is little infrastructure for investigators to monitor and targets are likely to be small businesses or individuals, resulting in little publicity. Moreover, the attackers do not have leak sites for stolen data. 

At least one of the tools for sale, EvilExtractor, was observed being used last year in attacks in the U.S. and Europe, and there were claims on forums of three other variants having been successfully used. 

Christopher Budd, director of Sophos X-Ops, emphasized the challenges these tools pose for defenders. 

“Because attackers are using these variants against SMBs [small and medium-sized businesses] and the ransom demands are small, most attacks are likely to go undetected and unreported. That leaves an intelligence gap for defenders, one the security community will have to fill,” he said.

The chatter on dark web forums where the ransomware is sold shows the amateurish nature of operations. Unlike on higher-profile dark web sites, there seem to be no dumb questions on these forums “for individuals who aspire to develop their abilities, to the point where they can acquire a piece of the pie for themselves.”

Researchers observed users requesting and sharing copies of how-to guides, including a ransomware manual written by the prominent ransomware operator Bassterlord. 

One user posted on a forum to say they were trying something new: “Targeted phishing to gain a foothold, to then collect as much valuable data and run ransomware.”

“So does anyone know what would be some good possible targets, in terms of possible gain, lack of backups, chance of foothold,” they wrote. “Also any tips for an operation like this are much appreciated as this is my first time.”