In our field our customers often express disbelief in how brazen cyber criminals can be. As a “sign of the times” entrepreneurial bad actors have started commoditizing their offering in what is called crimeware-as-a-service. This article explores this disturbing trend and its implications.
What is Crimeware-as-a-Service?
With the introduction of cloud computing the phrase “as-a-Service” has become ubiquitous. Offerings like Software-as-a-Service (SaaS), Platform-as-a-Service (Paas), etc. allow organizations to take advantage of certain specialized functionality without being responsible for maintaining and securing the underlying infrastructure. This enables organizations to scale and focus on core business practices while outsourcing tasks outside their central business model.
Unfortunately, cyber crime has taken some pointers from industry and has begun creating “as-a-Service” offerings as well. While previously a hacker needed to be a jack-of-all-trades with in-depth computer knowledge, the Crimeware-as-a-Service (CaaS) economy allows specialization in a certain area of the space, while renting goods or services from other cyber criminals as needed.
What Cyber Criminals are Selling
The new service-based cyber criminal economy has both internal and external benefits to hackers. Internally, it allows cyber criminals to specialize in a certain role. Rather than one individual running an entire phishing operation, it may consist of several individuals doing different jobs and splitting the profits. A team may include someone creating the malware or phishing sites, another providing mail servers and mailing lists, a third handling customer service (especially for ransomware), and a fourth converting any valuable data or currency (gift cards, airline miles, cryptocurrency, etc.) into untraceable profit. Specialization means that no one has to know how to do everything and the entire operation works more efficiently.
The service-based economy also has “benefits” for non-hackers. A disgruntled employee or activist may want to attack an organization but not have the cyber know-how to do so. With the new economy, they can buy or rent the skills they lack in the form of exploits, Denial of Service (DoS), or ransomware as a service.
Exploits as a Service
In the past, most hackers hoarded their exploits. When a zero-day vulnerability (a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the problem) is used, it’s out in the open, allowing network defenders to develop patches or antivirus signatures for it. Since these vulnerabilities can be difficult and expensive to find, it made sense that most threat actors would hoard them to use in their own campaigns.
In recent years, the sale of vulnerabilities and exploits on the black market has become more common. An example of this is the Shadow Brokers, the group who breached stolen NSA exploits. These exploits were used in WannaCry and NotPetya ransomware as well as a variety of other malware since.
Finding a vulnerability in a system and developing an exploit for it is challenging, since hackers are competing with internal and external quality assurance programs (like bug bounties) to find these vulnerabilities. This created a higher bar of entry and limited the pool of criminals capable of pulling off large-scale attacks. With vulnerabilities and exploits available for sale, it is easier to create malware, increasing the threat to target systems.
DoS as a Service
Denial of Service (DoS) attacks are designed to diminish or destroy a target system’s ability to operate (i.e. by taking down a website). Distributed Denial of Service (DDoS) attacks, where multiple machines are used in the attack, are becoming increasingly common, driving up the difficulty and cost of protection.
DDoS attacks have started being offered “as a Service” as well. Hackers with control of botnets rent out the botnet’s services for DDoS attacks. DDoS attacks can cost the hacker as little as $7 per hour, and they typically charge their customers about $25 per hour.
This puts the ability to hire a DDoS attack within the capabilities of many people, making the threat of an attack of a disgruntled employee against the organization more real. The high cost of a DDoS attack to the target (potentially over $1.6 million for large organizations), means that the attacker can have a significant impact on their target with comparatively minimal cost.
Ransomware as a Service
A ransomware attack can be very damaging to an unprepared organization. If the company doesn’t have a strong backup policy, significant amounts of data may be encrypted, leaving the victim with the choice of accepting the loss of the data or paying the ransom (with no guarantee of getting the data back).
With Ransomware as a Service (RaaS), these capabilities are within the reach of the average bad actor. DIY ransomware building kits are available on the black market for as low as $38. With this kit, anyone can launch an enterprise-scale ransomware attack.
How Crimeware-as-a-Service Changes Security
The main impacts of the service-based crimeware economy are the scale and targets of attacks. As the ability to perform significant attacks becomes more accessible, the number of attacks grows and organizations that may not previously have been targets may be now.
How to Deal with Crimeware-as-a-Service
While it seems like doomsday news regarding cyber crimes is released constantly, there are solutions and strategies to deal with these threats regardless of industry or organization size.
Whether you’re just getting started with your cyber program, or are working on maturing your security posture, Sword & Shield can help you assess, identify and remediate your gaps. To find out how you can beef up your cybersecurity defenses to meet this new threat, reach out to Sword & Shield for a consultation.