In decades past, cybercriminals were a diverse bunch.
From hacktivists and hobbyists to grudge-bearing employees and opportunists, organizations suffered at the hands of a broad range of threat actors with a full spectrum of interests, motivations, and rationalizations. However, as we explored in last year's report, today's threat actors are, by and large, unified in their desire for money.
Verizon’s latest Data Breach Investigations Report (DBIR) found a whopping 94.6% of breaches are financially motivated. To put that in perspective, if we step back in time just 10 years, ideological and “just for kicks” attacks were so common they actually outnumbered financially motivated attacks in some threat categories—notably, web application attacks. As the 2014 report noted:
“Just under two out of every three web app attacks were attributable to activist groups driven by ideology and lulz; just under one out of three came by the hand of financially motivated actors; with the small remainder linked to espionage.”
Oh, how times have changed. Today, attacks against web applications mirror the broader picture: just 1% are of the “fun” variety, while 95% are financially motivated. Taking another look at the 2014 dataset, we also see that espionage was at an all-time high. Over a quarter of all breaches reported that year were due to espionage, compared to less than 5% today.
The catalyst for this change is simple: organized crime groups have recognized en masse that cybercrime is an opportunity to make large profits with minimal risk—at least, compared to physical, real-world criminal activities.
In 2009, just 19% of external breaches could be traced to known organized crime groups. By 2018, organized crime groups were responsible for just under half (49%) of all breaches. And for the last two years, the figure was above 70%. Given the financial success these groups are netting, this trend will likely continue for the foreseeable future.
The Shortest Distance Between Two Points
What happens when organized crime groups become the dominant force in cybercrime? Well… a bunch of things. The romanticized notion of the smart, mysterious hacker—or perhaps more accurately, the basement-dwelling, hoodie-wearing hacker—goes straight out of the window.
Like other forms of organized crime, most of today’s cybercrime is just another form of business. Illegitimate business, but business nonetheless. And when crime becomes a business, one thing is for certain—there’s no room for unnecessary sophistication or elegance in the tactics employed.
An organized crime group’s objective is to make money with as little outlay of time or resources as possible. To that end, they seek tactics that support their desire to make money in the fastest and most profitable way possible—while taking the least amount of risk. We can observe the impact of these priorities by looking at how threat actors' tactics have changed over time.
Back in 2008, 59% of breaches involved “hacking” of some sort—direct exploitation of vulnerabilities, use of backdoors, etc. In the most recent dataset, that figure had fallen by nearly half to just 37%.
During the same time period, the use of social engineering—once referred to as “deceit” in the DBIR dataset—has almost doubled, rising from just 10% of breaches in 2008 to nearly 18% in 2023. And, in recent years, the use of automation to identify weak targets and gain an initial foothold inside corporate networks has risen dramatically.
All of this speaks to attackers favoring a “path of least resistance” approach to their activities, where the use of technical skill is reduced to the minimum necessary to extract a profit. With the increasing prevalence of the Ransomware-as-a-Service (RaaS) business model, much of the technical skill required to turn a profit is now outsourced to specialist groups. This allows many criminal groups to conduct highly sophisticated cyberattacks while possessing minimal technical capabilities in-house.
Show Me the Money
Which brings us to the crux of the matter:
How can cybercrime groups maximize profit in the shortest amount of time, with the fewest steps, while minimizing their risk of being caught or punished?
In simple terms, there are four options:
- Direct financial theft
This can be achieved by compromising a financial account. However, since most banks have implemented additional security measures, it’s usually done using Business Email Compromise (BEC) scams. These scams are as direct as it gets—cybercriminals use social engineering tactics to trick victims into sending money directly to them.
- Data theft for resale
This was the leading form of cybercrime monetization for a long time. Personal data like credit card details, social security numbers, and medical records are long-time favorites, along with login credentials for personal and corporate accounts. And while this approach is still undeniably popular—stolen credentials, in particular, are an evergreen resource still used in nearly half of all external breaches—recent years have shown a clear shift towards a third monetization option.
- Ransom
Both the most recent DBIR and CoDB datasets found that ransomware is responsible for close to a quarter of all breaches. Think about that. A decade ago, ransomware didn’t warrant a mention in either report. Today, one in four breaches starts with a poorly spelled demand for cryptocurrency.
Of course, ransomware isn’t the last word in ransom-based cyberattacks. Recently, there has been a huge rise in combined encryption and data exfiltration attacks. This tactic gives attackers the additional leverage of threatening to publish stolen data online. This is commonly referred to as a double extortion threat, and poses a particular concern for healthcare and education organizations. In the event that a victim refuses to pay, attackers can even sell stolen data to turn a profit.
And if all else fails, cybercriminals can fall back on an old favorite: Distributed Denial of Service (DDoS) attacks. Even decades after they became popular, DDoS attacks still account for nearly 40% of all cyber incidents worldwide. While ransom-based DDoS attacks are the exception rather than the rule, Cloudflare reports around 8% of all DDoS attacks are accompanied by a ransom demand.
- Supplying the criminal economy
The three options listed above cover the major monetization paths for groups looking to profit directly from cybercrime. However, there’s another path for the discerning criminal: providing products and services to cybercriminals.
Today, there’s a booming trade in supplying the cybercriminal economy. It starts with ransomware-as-a-service—which we covered the economics of in last year’s report—but in recent years, it’s expanded far beyond that.
Most of the top malware variants of 2023 have been around for years and are routinely updated and maintained by the same groups. The latest versions are readily available for sale online, and some even come as-a-service offerings, which can include regular updates and professional support to help criminal groups get maximum benefit from their purchases. Some malware families—particularly ransomware—are available for free, with developers taking a cut of profits.
While ransomware is undoubtedly the “king of the hill,” other types of malware and malicious infrastructure are also increasingly being offered as-a-service. Research by Kaspersky found that between 2015-2022, 58% of as-a-service malware was ransomware, while 24% was infostealers, and 18% was botnets, loaders, and backdoors.
And all this is just the tip of the iceberg. The Sophos 2023 Threat Report identified not one but nine other as-a-service offerings that enterprising criminals are selling right now on the dark web:
- Access-as-a-Service (e.g., selling stolen credentials)
- Malware distribution
- Phishing
- OPSEC
- Malware encryption (to bypass detection)
- Scamming kits
- Vishing
- Spamming
- Scanning
Put simply, there have never been more options for would-be cybercriminals to procure the skills and capabilities they lack—or, more likely, to augment their own specialisms with those of their fellow criminals.
- Need access to a specific organization for an extortion attempt? Buy the credentials.
- Have a nifty new malware strain but no way to spread it around? Pay someone for distribution.
- Looking for an easy target but don’t know how to find one? Hire a specialist to hunt some out.
This combination of professionalization and specialization in the cybercrime economy is undoubtedly bad news for organizations. It allows cybercriminal groups to outsource their weaker functions to specialists, ultimately raising the sophistication of cyber threats across the board.
Get the Full Cybercrime Story
A cybercrime report could be anything from one page to a hundred pages long. As simple as saying, "Cybercriminals go where the money is," or as complicated as digital forensics and malware analysis.
In our new report, we've striven for a happy medium that gives insight into cybercrime trends without getting bogged down in unnecessary details. We've also included the most important steps to protect yourself against cybercrime.
Download the report to learn:
- How AI threatens to raise the threat of cybercrime even further than it already is.
- Cybercrime group priorities and how they are reflected in their tactics.
- The four basic ways cybercriminals make money.
- And more!
March 26, 2024