Recent research highlights a worrying trend on the dark web: the proliferation of cheap, one-time-use ransomware tools. Between June 2023 and February 2024, Sophos’ intelligence unit uncovered 19 different ransomware types for sale or in development across various dark web forums. These tools, which researchers liken to the low-quality “junk guns” of the past, are being marketed to amateur cyber criminals, offering them an easy and relatively anonymous entry into the world of cybercrime.
The ransomware variants observed range in price from as little as $20 to around 0.5 bitcoin (approximately $13,000), with a median price of $375. Unlike more sophisticated ransomware-as-a-service (RaaS) models, these tools require no revenue sharing with affiliates, making them particularly attractive to individuals seeking to initiate attacks independently. They target small businesses and individuals less likely to have strong cybersecurity measures in place.
Why it matters: The availability of inexpensive ransomware on the dark web poses significant threats to global cybersecurity, particularly for small and medium-sized businesses (SMBs) and individuals. These tools lower the barriers to entry for aspiring cybercriminals and could lead to an increase in attacks. Moreover, the simplicity and anonymity offered by these ransomware kits complicate efforts by cybersecurity professionals to track and mitigate these threats effectively.
- Community Engagement on Dark Web Forums: The forums selling these ransomware tools are bustling with activity from amateurs seeking advice and sharing tactics, highlighting the community-driven aspect of this new cybercrime wave. This includes discussions on targeting strategies and operational tips, indicating a collaborative environment that supports the development of cybercriminal skills.
- Evidence of Usage in the Wild: Despite the uncertainties about their reliability, at least one ransomware tool called EvilExtractor has been confirmed as used in real-world attacks across the U.S. and Europe. Reports on dark web forums also claim successful deployments of other variants, demonstrating the practical threat posed by these tools.
- Intelligence and Monitoring Challenges: The low cost and independent nature of these ransomware attacks make them difficult to monitor. Christopher Budd from Sophos emphasized the intelligence gap that arises as these attacks often go undetected and unreported, increasing the challenge for defenders to stay ahead of cyber threats.