The $1.5tn industry you didn’t know you were part of – the corporate evolution of cybercrime - Photo by muhannad ajjan from unsplashToday the cybercriminal community costs the global economy an estimated $2.9 million every minute. And, because every cost is usually someone else’s revenue, that translates into a global cybercrime economy currently exceeding $1.5trillion annually. It’s an economy we are all part of. We are the unwilling “customers” who pay ransoms to get our systems unencrypted or who have our data stolen and monetised on the dark web.

While it might be comforting to imagine that cybercriminals are disorganised, acting alone or in small groups, this is definitively not the case. In any market with that much potential, there are major players, collaborators, competitors, innovators and influencers; cybercrime is no different.

As we aim to protect ourselves from the revenue-generating activities of cybercriminals and the geopolitical machinations of nation-state actors, it is important to understand how the industry behaves and where it is heading. In the VMware Carbon Black Threat Analysis Unit, we track trends, spot emerging tactics and analyse how the sector is pivoting towards new targets so we can prevent clients from becoming victims.

Innovation and evolution 

The relationship between cybercriminals and victims is often presented as a “high stakes game”, or a “battle” between good and evil. While there are definitely elements of both those metaphors, today it is more realistic to see cybercrime as a fast-moving industry that evolves, innovates and responds to the actions of competitors and customers in order to unlock new revenue opportunities, sweat assets and monetise activities more effectively.

The evolution of ransomware is a good example. Historically, ransomware was largely distributed indiscriminately in the hope that someone would click on a malicious link and launch the payload that would encrypt systems and initiate a ransom demand.

However, defenders have responded to this approach by improving anti-phishing tools. They are also educating employees on how to spot suspicious messages. Backup solutions have also been strengthened so that data and system recovery is achievable without necessarily having to pay a ransom. This posed a problem for attackers, who faced dwindling profit opportunities.

To solve this, adversaries have evolved and refined their approach to a much more bespoke, hands-on operation. Now, the first step is to gain initial access to the target network. This is most commonly by way of known Remote Desktop and VPN concentrator exploits. They conduct reconnaissance to discover the assets it contains, sometimes even residing within the network for months. Backdoor access is established so the attacker can revisit the target, considering that their primary means of access may be terminated at any point. Then, data is quietly exfiltrated. Only then is the ransomware payload deployed.

Four opportunities to monetise stolen assets

Now the attacker has several opportunities to monetise and sweat the assets they procured:

  1. Conventional: Direct ransom payment from the victim in return for decrypting the system.
  2. Extortion: If the victim resists, threaten to publish stolen data. This alerts regulatory authorities and customers to the data breach and/or releasing trade secrets, with the associated fines, penalties and reputation damage. Ransom is paid, but the kicker is that the attacker still has your data. There is nothing to stop them from repeating their demands.
  3. Sell the stolen data on a dark web marketplace: Data relating to intellectual property such as medical formulations will fetch a high price
  4. Access Mining: Sell access to the compromised network to third parties on the dark web so they can conduct their own attack. This is often done prior to the Ransomware group gaining access itself, especially common when the attacker is leveraging a Ransomware as a Service.

This evolution in approach is why it is so critical that full incident response is undertaken following an attack to root out persistent malware. Just as back-ups have come to the rescue of victims, malicious actors are also aiming to get their malware synced to the backups in order to take repeated bites of the cherry. This is just one example of how the cybercrime industry innovates to solve the problems defenders put in its way.

Recruitment and affiliation programmes

Leading the drive for innovation are the big “brands” in the industry. These are well-known groups that conduct major campaigns and bring in millions in revenue. Names such as MAZE, Ragnar Locker, REvil and Russian state-backed Sandworm Team are attractive to hacker talent. Groups also run recruitment programmes to identify new skilled affiliates. They are operating like multimillion-dollar enterprises and even, in some cases, like cartels.

These groups don’t want to be infiltrated themselves. Recruitment interview screening processes often include Russian language questions asked in context, that only native speakers could answer. This is followed by technical questions to assure the group that the potential recruit will add value.

Passing the screening process is more than worth it for the new recruits. Armed with data and inside intelligence, the groups have amassed from previous attacks they conduct lucrative campaigns. Reports suggest that affiliate earnings from compromising US targets can reach sums of $7-8million. There is no question that these are businesses and that they are scaling up.

The trickledown effect enabling less-skilled actors

In every industry, we see true innovators and fast-followers, with expertise trickling down through the community. Cybercrime is no different. Attack techniques that have been developed and made public are quickly assimilated and commoditised. This makes them accessible to a wider range of actors and thereby grows the cybercrime economy.

The rise of Ransomware as a Service and Access Mining as a service lets groups monetise these services without carrying out campaigns themselves. Today an unskilled actor could buy access credentials to a medium-sized corporation for $1000, rent ransomware as a service for $5000, then exfiltrate data and launch a double extortion attack to get a $50,000+ payoff. This is a small investment for a big potential reward.

This means that, as our attack surface continues to expand through the deployment of IoT devices and mass home-working, the population of cyberthreat actors capable of targeting that network is also growing.

In this industry, the role of the “victim” or “customer” – as some groups refer to their targets – is pivotal to its success. As we develop new defences the market opportunity shrinks. Eventually, an innovation finds a way to overcome them or monetise in a different way.

Right now, the skilled actors in the economy are focusing on staying undetected when they gain access to your network. This allows them to sell it on for profit. You won’t know that you’re about to become a “customer” until the ransomware attack is launched, long after your data has gone.

Be vigilant and stop easy attacks

Getting out of this unwilling target base is not easy. It requires vigilance against high volume, sophisticated attacks while simultaneously assuring that you have no low-hanging fruit exposed to the internet. These are coming through a multitude of vectors.

Recently we’ve witnessed a surge in groups using EMOTET to open up old conversations in Office365, so victims think they’re communicating with a known contact until the malicious payload is delivered. Being alert to these trending techniques is essential to refine defence tactics. And to reiterate, active incident response with forensic analysis to root out the malware back-ups is critical following any incident to prevent adversaries from getting back in.

No one wants to be part of this industry but, while it continues to proliferate, it’s our business to make market conditions as difficult for cybercriminals as possible.


VMware-Carbon-BlackVMware Carbon Black is a leader in cloud-native endpoint protection dedicated to keeping the world safe from cyberattacks. The VMware Carbon Black Cloud consolidates endpoint protection and IT operations into an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analysing billions of security events per day across the globe, VMware Carbon Black has key insights into attackers’ behaviours, enabling customers to detect, respond to and stop emerging attacks.

More than 6,000 global customers, including approximately one-third of the Fortune 100, trust VMware Carbon Black to protect their organizations from cyberattacks. The company’s partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world’s leading IR firms, who use VMware Carbon Black’s technology in more than 500 breach investigations per year.

LEAVE A REPLY

Please enter your comment!
Please enter your name here