Cybercrime "as a service"


The current trend shows us how the number of cyber-attacks taking place throughout the world is increasing exponentially and alarmingly. The industrialisation that has occurred on the part of some criminal groups makes them move closer to a business model every day, implementing certain techniques that allow them to have a greater scope and destructive power. It probably leans more towards the concept of a lucrative industry, being a "business" model that is overwhelmingly successful.

Currently, according to a study by Cybersecurity Ventures, the total number of cyber-attacks worldwide in 2021 will cost approximately 6 trillion dollars. This is a figure that, if considered as an industry sector, would rank 27th among the world's largest economies, according to a report by Allianz Global.

One such example is so-called "cybercrime as a service", i.e., the practice of facilitating illegal activities through services. In the IT sector, there are companies that provide different services to their customers, such as PaaS (Platform as a service) or SaaS (Software as a service) in order to offer a product that meets the customer's needs. Nowadays, cybercriminals have decided to make all their know-how and own developments of different types of malware or exploits available to a certain public that wants to "join the industry".

In this phenomenon, any user, without the need for advanced technical knowledge, could access pre-configured 'packages' that would allow them to spread malware across different companies or exploit a specific vulnerability. These packages are usually sold on private platforms, located on the dark web or on platforms such as Telegram (a platform increasingly used by cybercriminals) for prices that can be considered affordable. From around $50 you can get one of these basic packages. 

For underground cybercriminals, CaaS offers a new dimension of cybercrime, as it is more organised, automated and accessible to criminals with limited technical knowledge.

Within this service it is possible to find all kinds of models, from so-called "crime-ware as a service", which consists of identifying vulnerabilities and developing the attack on them, "investigation as a service", where they can provide you with certain credentials or personal information about someone specific and "hacking as a service" where a complete attack would be outsourced. These are just a few examples of the services that a cybercriminal group can offer, but there are many more and they are becoming more diversified as their technical capabilities develop. Moreover, not only do they distribute pre-configured, ready-to-use packages, but there is a whole marketing campaign behind them, offering those who buy them even a 24&7 customer service, where it is possible to get support, information and help.

One of the services offered that is currently of most concern in the sector is the so-called RaaS, that is, "ransomware as a service", where users can acquire a ransomware model that they can distribute to any company in the future. This means that ransomware attacks no longer come exclusively from cybercriminals, but that any user can access these techniques and be the one to spread them. This could be a possible explanation for the high increase in this type of attack, which has been growing for some years now, becoming a real headache for professionals in the cybersecurity field and for the companies that, unfortunately, are affected. 

These organisations are not small groups acting maliciously, but a very complex and extensive network, geographically located all over the world, that have an ability to maintain anonymity by hiding in the underground corridors that the internet provides. Thus, they would be outside the conventional search engines that most users use, invisible to ordinary users, but visible enough for anyone interested to find them with relative ease, once they have obtained sufficient technical knowledge.

The main motivation for this phenomenon of "industrialisation" can be found in economic profit. If something has changed in the movement, it is the growing interest in profit. Initially, in previous decades, the cybercriminal movement had other motivations such as hacktivism, gaining recognition or even investigating (and why not say it, also having fun) the people behind these illicit activities. However, when the ransomware phenomenon began to yield very high profits, the motivations began to change. 

Current knowledge of these organisations is limited and derives from the few organisations that have been uncovered by law enforcement agencies, as was the case with the gang behind the "Cl0p" ransomware, arrested in June this year. Therefore, there is still a long way to go to fully understand the phenomenon. 

Ainoa Guillén González, Coordinator of the Cybersecurity Area of Sec2Crime