Tal Sheffer , Chief Technology Officer , Skybox Security
How business model innovation has changed the game of cybercrime and turned it into a multi-million-dollar dark industry. Tal Sheffer,Chief Technology Officer, Skybox Security
Ransomware and banking Trojans dominate the cybercrime mainstream today, and their technical operations are heavily analyzed. But little attention has been given to the business model which plays a large role in dictating their behavior, targets, and tactics.
A revolutionary concept in cybercrime is what I call distributed cybercrime, a business model in which cybercriminals attack many victims in the same campaign. Like many other inventions now common in modern life, distributed cybercrime may seem trivial today. But this concept emerged little more than a decade ago and has already dominated the threat landscape.
Improved ROI and the support of a newly erected dark industry has made distributed cybercrime the hottest trend in cybercrime. Most of the professional cybercriminal groups today develop malware with a distributed business model, then use professional platforms, distribution services, and infection experts to attack the world. They do not know who their victims are nor do they care. They are not looking to get points on style. They are just businessmen who built the perfect, automated money-making machine.
Six Reasons Why Cybercriminals Love the New Business Mode
Beginning in 2006, innovations in malware, banking Trojans and ransomware created a new type of business model for cybercriminals – rather than concentrating all their efforts on penetrating high-quality targets, they can steal small amounts of money from numerous victims.
The business model of distributed cybercrime has made some attackers multi-millionaires in a short period of time due to its many business benefits:
- Attacks require less effort as they target low-hanging fruit (i.e., individuals or organizations with sub-par security).
- Attack skill level is low compared to techniques such as spear-phishing – regular ol' phishing is good enough for weak targets.
- Highly coveted zero-day vulnerabilities are no longer required for profitable attacks – mainstream CVE vulnerabilities with known exploits and existing patches will do, as many victims do not patch regularly.
- Any standard endpoint is a potential source of revenue, making lateral movement toward the crown jewels irrelevant.
- When you attack the world, the sky is the limit – the amount of potential revenues is endless.
- Less effort and more profit means better ROI.
Mass Distribution, Victim Profiling, and Outsourcing
The new business model presented new challenges for cybercriminals. If you want to become filthy rich through distributed cybercrime, you cannot just attack 100 victims – you need to attack hundreds of thousands of victims. This drove professional cybercriminals to build mass-distribution platforms to spread their malware and automated-infection systems to exploit victims' machines and run the malware.
But quantity of traffic is not enough. Victims must fit a desirable profile. Cybercriminals want to avoid targeting low-income victims with ransomware as they are probably less able to pay the ransom, and the ransomware's language should match the victims' language to ensure instructions on purchasing bitcoin and paying the ransom are understood. Mass distribution experts and traffic dealers offer their shady customers this very type of targeted services.
In addition to victim-specific traffic, infection services are also up for sale (or more commonly, for rent). Rather than coming up with new or unique exploits, pre-packaged exploit kits are readily available to launch the attack of your choosing. These kits supply the distribution and traffic services mentioned above, use the best exploit available to infect victims' machines and, if successful, run the customer's malware. The exploit kit method essentially outsources distribution and infection to reliable, high-quality service providers at an affordable price.
Where Have All the Targeted Attackers Gone?
You may ask yourself: what happened to targeted attacks? The answer: absolutely nothing (and thank you for asking). In fact, targeted attacks today are easier than ever, as demonstrated by cyber attackers who do care about the identity of their victims (like nation-states). Targeted attacks did not disappear – they have only been eclipsed by the attractiveness of the ROI of distributed attacks. Only when the profitability of targeted attacks can compete with the distributed cybercrime business model will we see their rise to prevalence again.
There are initial signs that cybercriminals are testing targeted attacks with malware more commonly used for distributed attacks, as evidenced by recent ransomware attacks on high-quality targets such as hospitals and hotels. The problem comes back to ROI: while cybercriminals demanded up to USD 5 million ransom from one victim, the highest ransom paid by a single victim (as far as we know) was a meager USD 28K.
The Next Big Thing
What's next for the innovative cybercriminal? My prediction: a hybrid business model with tailored ransom pricing. Imagine a mass-distribution platform doling out ransomware on a global scale that when executed will assess the victim's environment. If that environment is a consumer's machine, the calculated ransom will be relatively low; if it is an enterprise network, considerably higher; if it is critical infrastructure, astronomical.
Whatever the next big thing is in cybercrime, you can be sure it will be driven by ROI – nothing dictates the dark industry more than these three simple letters.