Like the businesses it targets, the world of cybercrime has become a highly organized and professional ecosystem. It borrows from companies their agility and their processes, and tries to create an ecosystem to pool attacks and improve its efficiency.
Historically, cybercrime was born out of amateurism and the egotistical desire to achieve exploits. The oldest remember the first pirates, students in general, alone behind their screens, tweaking code to bypass almost non-existent countermeasures. Since then, greed has taken over and cybercriminals have become more professional. They have set up complex organizations, developed reusable tools and adopted processes that have enabled them to industrialize their activities. They are now taking the next step, which is creating a true cybercrime ecosystem.
According to a study by Kaspersky’s cybersecurity experts, the world of cybercrime is structured as a vast ecosystem of providers who sell services to each other. “Some groups of cybercriminals go even further and do not hesitate to create real marketplaces, they explain, like the one that the Sodinokibi group has recently used to sell stolen data, or even to create alliances and partnerships like recently claimed the group behind the Maze ransomware on its website. ” If this continues like this, it is not impossible that we will soon see mergers and acquisitions (!).
According to Kaspersky, the fact of attacking companies, which invest more and more efforts and means in countermeasures, obliges cybercriminals to pool their means to break through the defenses put in place. Corporate defenses cannot be broken through by the same means as those used against individuals, and the random installation of malware by unsuspecting employees is not enough, the report said.
“An essential point to keep in mind is that an attack on a company is not by chance: it is a complex operation resulting from the action of a complete value chain, from intrusion into corporate system up to the ransom note or data theft, including the installation of malware. And each of these steps can be carried out by different groups, ”analyzes Ivan Kwiatkowski, cybersecurity researcher at Kaspersky.
The owner of a network of infected machines has several options for taking advantage of it, the report said. It can implement the following actions:
- infrastructure as a Service (IaaS): infected machines are used as relays for other attacks, or to store illegal content;
- crimeware as a service: sale of services related to cybercrime, such as the organization of DDoS attacks or distribution of spam from infected machines;
- malware as a Service: installation of customer-supplied malware on infected computers (usually billed according to the number of installations);
- splitting of infected machines into lots, “pack of 1000 victims in France” for example, and sale of direct access.