Today the cybercriminal community costs the global economy an estimated $2.9million every minute. And, because every cost is usually someone else’s revenue, that translates into a global cybercrime economy currently exceeding $1.5trillion annually. It’s an economy we are all part of because we are the unwilling “customers” who pay ransoms to get our systems unencrypted or have our data stolen and monetized on the dark web. While it might be comforting to imagine that cybercriminals are disorganized, acting alone or in small groups, this is definitively not the case. In any market with that much potential, there are major players, collaborators, competitors, innovators and influencers; cybercrime is no different. 

As we aim to protect ourselves from the revenue-generating activities of cybercriminals and the geopolitical machinations of nation-state actors it is important to understand how the industry behaves and where it is heading. In the VMware Carbon Black Threat Analysis Unit, we track trends, spot emerging tactics and analyse how the sector is pivoting towards new targets so we can prevent clients from becoming victims. 

Innovation and evolution

The relationship between cybercriminals and victims is often presented as a “high stakes game”, or a “battle” between good and evil. While there are definitely elements of both those metaphors, today it is more realistic to see cybercrime as fast-moving industry that evolves, innovates and responds to the actions of competitors and customers in order to unlock new revenue opportunities, sweat assets and monetise activities more effectively.

The evolution of ransomware is a good example. Historically, ransomware was largely distributed indiscriminately in the hope that someone would click on a malicious link and launch the payload that would encrypt systems and initiate a ransom demand.

However, defenders have responded to this approach by improving anti-phishing tools, educating employees on how to spot suspicious messages and strengthening backup solutions so that data and system recovery is achievable without necessarily having to pay a ransom. This posed a problem for attackers, who faced dwindling profit opportunities. 

To solve this, adversaries have evolved and refined their approach to a much more bespoke, hands-on operation. Now, the first step is gain initial access to the target network, most commonly by way of known Remote Desktop and VPN concentrator exploits, and conduct reconnaissance to discover the assets it contains, sometimes even residing within the network for months. Backdoor access is established so the attacker can revisit the target, considering that their primary means of access may be terminated at any point. Then, data is quietly exfiltrated. Only then is the ransomware payload deployed. Now the attacker has several opportunities to monetise and sweat the assets they procured:

1. Conventional: direct ransom payment from the victim in return for decrypting the system.
2. Extortion: if the victim resists, threaten to publish stolen data, thereby alerting regulatory authorities and customers to the data breach and/or releasing trade secrets, with the associated fines, penalties and reputation damage. Ransom is paid, but the kicker is that the attacker still has your data and there is nothing to stop them repeating their demands.
3. Sell the stolen data on a dark web marketplace: data relating to intellectual property such as medical formulations will fetch a high price
4. Access Mining: sell access to the compromized network to third parties on the dark web so they can conduct their own attack. This is often done prior to the Ransomware group gaining access itself, especially common when the attacker is leveraging Ransomware as a Service.

This evolution in approach is why it is so critical that full incident response is undertaken following an attack to root out persistent malware. Just as back-ups have come to the rescue of victims, malicious actors are also aiming to get their malware sync’d to the backups in order to take repeated bites of the cherry. This is just one example of how the cybercrime industry innovates to solve the problems defenders put in its way.

Recruitment and affiliation programmes

Leading the drive for innovation are the big “brands” in the industry. These are well-known groups that conduct major campaigns and bring in millions in revenue. Names such as MAZE, Ragnar Locker REvil and Russian state-backed Sandworm Team are attractive to hacker talent and groups run recruitment programmes to identify new skilled affiliates. They are operating like multimillion-dollar enterprises and even, in some cases, like cartels. 

These groups don’t want to be infiltrated themselves, so recruitment interview screening processes often include Russian language questions asked in context, that only native speakers could answer. This is followed by technical questions to assure the group that the potential recruit will add value. 

Passing the screening process is more than worth it for the new recruits. Armed with data and inside intelligence the groups have amassed from previous attacks they conduct lucrative campaigns, with reports suggesting that affiliate earnings from compromising US targets can reach sums of $7-8million. There is no question that these are businesses and that they are scaling up. 

The trickledown effect – enabling less skilled actors

In every industry we see true innovators and fast-followers, with expertise trickling down through the community – cybercrime is no different. Attack techniques that have been developed and made public are quickly assimilated and commoditized to make them accessible to a wider range of actors and thereby growing the cybercrime economy. 

The rise of Ransomware as a Service and Access Mining as a service lets groups monetise these services without carrying out campaigns themselves. Today an unskilled actor could buy access credentials to a medium sized corporation for $1000, rent ransomware as a service for $5000, then exfiltrate data and launch a double extortion attack to get a $50,000+ payoff. This is a small investment for a big potential reward.

This means that, as our attack surface continues to expand through the deployment of IoT devices and mass home-working, the population of cyberthreat actors capable of targeting that network is also growing. 

In this industry the role of the “victim” or “customer” – as some groups refer to their targets - is pivotal to its success. As we develop new defences the market opportunity shrinks, until an innovation finds a way to overcome them or monetise in a different way.

Right now, because the skilled actors in the economy are focusing on staying undetected when they gain access to your network – so they can sell it on for profit – you won’t know that you’re about to become a “customer” until the ransomware attack is launched, long after your data has gone.

Getting out of this unwilling target base is not easy. It requires vigilance against high volume, sophisticated attacks while simultaneously assuring that you have no low-hanging fruit exposed to the internet. These are coming through a multitude of vectors: recently we’ve witnessed a surge in groups using EMOTET to open up old conversations in Office365, so victims think they’re communicating with a known contact, until the malicious payload is delivered. Being alert to these trending techniques is essential to refine defence tactics. And to reiterate, active incident response with forensic analysis to root out the malware back ups is critical following any incident to prevent adversaries getting back in. 

No one wants to be part of this industry but, while it continues to proliferate, its our business to make market conditions as difficult for cybercriminals as possible.