In our field, our customers often express disbelief in how brazen cybercriminals can be. As a “sign of the times”, entrepreneurial bad actors have started commoditizing their offering in what is called crimeware-as-a-service. This article explores this disturbing trend and its implications.
With the introduction of cloud computing, the phrase “as-a-service” has become ubiquitous. Offerings like Software-as-a-Service (SaaS) allow organizations to use specialized functionality without being responsible for maintaining and securing the underlying infrastructure. This enables organizations to scale and focus on core business practices while outsourcing tasks outside their central business model.
Unfortunately, cybercrime has taken some pointers from the industry and has begun creating “as-a-service” offerings as well.
Traditionally a hacker needed to be a jack-of-all-trades with in-depth computer knowledge. Crimeware-as-a-Service (CaaS) allows specialization in a certain area of the space while renting goods or services from other cybercriminals as needed.
The new service-based cybercriminal economy has both internal and external benefits to hackers. Internally, it allows cybercriminals to specialize in a certain role. Rather than one individual running an entire phishing operation, responsibility may be spread over several individuals doing different jobs and splitting the profits. A team may include someone creating the malware or phishing sites, another providing mail servers and mailing lists, a third handling customer service (especially for ransomware), and a fourth converting any valuable data or currency (gift cards, airline miles, cryptocurrency, etc.) into untraceable profit.
Specialization means that no one has to know how to do everything and the entire operation works more efficiently.
The service-based economy also has “benefits” for non-hackers. A disgruntled employee or activist may want to attack an organization but not have the cyber know-how to do so. With the new economy, they can buy or rent the skills they lack in the form of exploits, Denial of Service (DoS), or ransomware as a service.
In the past, most hackers hoarded their exploits. When a zero-day vulnerability (a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the problem) was used, it was out in the open. This allowed network defenders to develop patches or antivirus signatures for it. These vulnerabilities can be difficult and expensive to find. Most threat actors hoarded them to use in their own campaigns.
In recent years, the sale of vulnerabilities and exploits on the black market has become more common. An example of this is the Shadow Brokers, the group that breached stolen NSA exploits. These exploits were used in WannaCry and NotPetya ransomware as well as a variety of other malware since.
Finding a vulnerability in a system and developing an exploit for it is challenging. Hackers are competing with internal and external quality assurance programs (like bug bounties) to find these vulnerabilities. This creates a higher bar of entry and limited the pool of criminals capable of pulling off large-scale attacks.
With vulnerabilities and exploits available for sale, it is easier to create malware. This increases the threat to target systems.
Denial of Service (DoS) attacks are designed to diminish or destroy a target system’s ability to operate (i.e. by taking down a website). Distributed Denial of Service (DDoS) attacks, where multiple machines are used in the attack, are becoming increasingly common, driving up the difficulty and cost of protection.
DDoS attacks have started being offered “as a Service” as well. Hackers with control of botnets “rent out” the botnet’s services. DDoS attacks can cost the hacker as little as $7 per hour. Hackers typically charge their customers about $25 per hour.
Crimeware-as-a-Service makes many more people capable of a denial of service attack. The high cost of a DDoS attack to the target (potentially over $1.6 million for large organizations) means the attacker can impact their target significantly with minimal cost. This makes the threat of an attack of a disgruntled employee against the organization more real.
A ransomware attack can be very damaging to an unprepared organization. If the company doesn’t have a strong backup policy, significant amounts of data may be encrypted. This leaves the victim with the choice of accepting the loss of the data or paying the ransom. Unfortunately, even a paid ransom doesn’t guarantee the victim will get the data back.
With Ransomware as a Service (RaaS), these capabilities are within the reach of the average bad actor. DIY ransomware building kits are available on the black market for as low as $38. With this kit, anyone can launch an enterprise-scale ransomware attack.
The main impacts of the service-based crimeware economy are the scale and targets of attacks. As the ability to perform significant attacks becomes more accessible, the number of attacks grows and organizations that may not previously been targeted may be now.
While it seems like doomsday news regarding cyber crimes is released constantly, there are solutions and strategies to deal with these threats regardless of industry or organization size.