Cybercrime-as-a-Service: Commoditization Fuels Threat Surge
 

The everything-as-a-service era has been beneficial for small to midsize businesses. The ability to access innovative tools and advanced capabilities without having to invest in their development or the infrastructure to support them has helped to level the competitive playing field. 

But it’s also been a boon to cybercriminals.

Just as many high-tech companies offer their technology software, infrastructure and services on-demand to other businesses, so too do skilled hackers sell their capabilities as neatly packaged pay-per-use services that anyone can use. The cybercrime marketplace has evolved into a managed services industry, as former Defense Criminal Investigative Service agent and cybersecurity professor Thomas S. Hyslip explained, because it’s more profitable and less risky to sell the tools to commit the crime than to actually perpetrate it.[1]

This trend has commoditized cybercrime, by driving the barrier to entry for cybercriminals to an all-time low. Bad actors no longer need to be highly skilled or particularly motivated. They don’t have to write code or even purchase any technology. So-called crimeware-as-a-service can also be the preferred option for “advanced attackers that want to conduct hit-and-run operations,” noted an article in CyberNews.[2] The tools necessary to carry out all types of cybercrime are for sale as-a-service and payable by cryptocurrency, whether a bad actor wants to rent botnets for distributed denial-of-service (DDoS) attacks, pay to use some malware to underpin a ransomware effort or get some help with phishing. 

Ransomware-as-a-service (RaaS) has gotten the most attention — and traction — thus far, but phishing kits are also widely available, and experts are warning of an uptick in AI-enabled cybercrime services. Global cybersecurity authorities and law enforcement have taken note. “The market for ransomware became increasingly ‘professional’ and there has been an increase in cybercriminal services-for-hire,” reads a February 2022 joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the Federal Bureau of Investigation, National Security Agency, Australian Cyber Security Centre and the UK’s National Cyber Security Centre (NCSC).^[3] While official efforts to rein in the cybercrime-as-a-service industry are important, businesses must remain vigilant to ensure that their systems and users are adequately protected from these increasingly easily deployed attacks.

Most Developed: Ransomware-as-a-Service

RaaS is basically pay-per-use malware that can be used to encrypt or steal data in pursuit of a payoff from the victim organization. The ransomware producer offers RaaS software to “affiliates” who then deploy the exploit to encrypt or hold data hostage. Typically, the malware developer gets a percentage of what victims pay for their decryption key or data return. There are benefits on both sides: The malware creator can grow their revenues at lower risk, and the buyer can pursue profitable exploits with little or no technical skill or long-term investment.

It's estimated that as many as two-thirds of ransomware attacks are enabled by the RaaS model, and its use is increasing.[4] A rise in RaaS offerings in 2021 “lowered the barriers to entry for threat actors, putting highly-effective malware in the hands of more operators,” according to a recent report,[5] resulting in record high ransomware incidents that are expected to continue accelerating in 2022.

There have been some notable law enforcement efforts in this area. Late last year, Russian authorities raided one of the biggest ransomware-as-a-service operators called REvil, arresting 14 of its members and halting its operations at the request of U.S. officials.[6] However, as the Wall Street Journal noted, these crimeware operators typically re-emerge under new names after high-profile arrests.

The ransomware itself isn’t the only piece of the criminal enterprise to get packaged more professionally. Full-service RaaS operators will offer not only customer service to affiliates during ransomware campaigns, they may also handle ransomware payments and decryption key access.[7] Initial access brokers (IABs) find vulnerabilities within organizations and sell that access to ransomware threat actors.[8] The CISA advisory revealed that some cybercriminals also use independent services to negotiate payments, assist victims with making payments and arbitrate payment disputes. The NCSC even found some ransomware perpetrators “offered their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data.”

Phishing Kits Fuel Email Entry

When it comes to gaining entry into an organization’s network, phishing remains the top infection vector for ransomware incidents, according to the latest CISA advisory. And the cost of a successful phishing attack goes beyond any money paid for hijacked data. A 2021 Ponemon Institute study estimated that lost business represents the largest share of data breach costs.[9]

Here, too, would-be bad guys benefit from the managed services approach. They can license a pre-made phishing attack — otherwise known as a phishing kit — available on the dark web and online marketplaces. These kits are ready-to-go .zip files packed with the code and resources required to deploy a phishing attack on a web server. Phishing-as-a-service is increasingly automated and is only expected to grow in sophistication.

Even Smarter Crimeware-as-a-Service

As the nefarious application of artificial intelligence for cybercrime grows, it’s only logical that AI-enabled crimeware is emerging as well. "We have crime-as-a-service, we have AI-as-a-service. We'll have AI-for-crime-as-a-service too,” Philipp Amann, head of strategy at EU law enforcement agency's Europol's European Cybercrime Centre, told Politico.[10]

We’ve seen how AI can power more personalized phishing attempts and enable more effective and stealthier malware. So, it’s no leap to see how AI can upgrade those existing as-a-service products. But the advanced algorithms that enable deep fake videos could also be commoditized and used to create fingerprints or facial images capable of fooling biometric systems. Ditto for the machine learning algorithms capable of cracking CAPTCHA.

The Bottom Line

The cybercrime-as-a-service marketplace is likely to grow as long as it pays — and it does, providing a lower-risk revenue source for crimeware purveyors and, for their customers, an easy way to perpetrate sophisticated phishing, ransomware and other exploits. While government and law enforcement agencies work to address the issues, organizations must ensure their systems are protected and their users remain vigilant.
 

[1] “Cybercrime-as-a-Service Operations,” Palgrave Handbook of International Cybercrime and Cyberdeviance

[2] “The Crimeware-as-a-Service model is sweeping over the cybercrime world. Here’s why,” CyberNews

[3] “CISA, FBI, NSA and International Partners Issue Advisory on Ransomware Trends from 2021,” Cybersecurity and Infrastructure Security Agency

[4] “Ransomware as a service is the new big problem for business,” ZDNet

[5] “ZeroFox Releases 2022 Forecast Report Anticipating Increases in Ransomware, Third-Party Compromises and Malware-as-a-Service,” BusinessWire

[6] “What Russia’s Arrest of REvil Hackers Means for Ransomware,” Wall Street Journal

[7] Ransomware-as-a-service, TechTarget

[8] The Rise of Initial Access Brokers, Digital Shadows

[9] “Cost of Data Breach Report 2021,” Ponemon Institute and IBM

[10] “One Group That’s Embraced AI: Criminals,” Politico