Distributed Cybercrime - Attack the World

Tal Sheffer, CTO, Skybox Security | Wednesday, 27 September 2017, 08:47 IST

Ransomware and bank­ing Trojans domi­nate the cybercrime mainstream today, and their technical operations are heavily analyzed. But little attention has been given the business model which plays a large role in dictating their behav­ior, targets and tactics.

A revolutionary concept in cyber­crime is what I call "distributed cy­bercrime, "a business model in which cybercriminals attack many victims in the same campaign. Like many other inventions now common in modern life, distributed cybercrime may seem trivial today. But this con­cept emerged little more than a dec­ade ago and has already dominated the threat landscape.

Improved ROI and the support of a newly erected “dark industry” has made distributed cybercrime the hot­test trend in cybercrime. Most of the professional cybercriminal groups today develop malware with a dis­tributed business model, then use professional platforms, distribution services and infection experts to at­tack the world. They don’t know who their victims are nor do they care. They’re not looking to get points on style. They’re just businessmen who built the perfect, automated money-making machine.

6 Reasons Why Cybercriminals Love the New Business Model

Beginning in 2006, innovations in malware, banking Trojans and ransomware created a new type of business model for cybercriminals: rather than concentrating all their ef­forts on penetrating high-quality tar­gets, they can steal small amounts of money from numerous victims.

The business model of distrib­uted cybercrime has made some at­tackers multi-millionaires in a short amount of time due to its many business benefits:

1. Attacks require less effort as they target “low-hanging fruit” (i.e., individuals or organizations with sub-par security)

2. Attack skill level is low com­pared to techniques such as spear-phishing – regular ol’ phishing is good enough for weak targets

3. Highly coveted zero-day vul­nerabilities are no longer required for profitable attacks – mainstream CVE vulnerabilities with known exploits and existing patches will do, as many victims don't patch regularly
4. Any standard endpoint is a potential source of revenue, making lateral movement toward the crown jewels irrelevant
5. When you attack the world, the sky is the limit – the amount of po­tential revenues is endless
6. Less effort and more profit means better ROI

Mass Distribution, Victim Profiling and Outsourcing

The new business model presented new challenges for cybercriminals. If you want to become filthy rich through distributed cybercrime, you can’t just attack 100 victims – you need to attack hundreds of thou­sands of victims. This drove profes­sional cybercriminals to build mass-distribution platforms to spread their malware and automated-infection systems to exploit victims’ machines and run the malware.

But quantity of traffic is not enough. Victims must fit a desir­able profile. Cyber criminals want to avoid targeting low-income victims with ransomware as they’re probably less able to pay the ransom, and the ransomware’s language should match the victims’ language to ensure in­structions on purchasing bitcoin and paying the ransom are understood. Mass distribution experts and traffic dealers offer their shady customers this very type of targeted services.

In addition to victim-specific traf­fic, infection services are also up for sale (or more commonly, for rent). Rather than coming up with new or unique exploits, pre-packaged exploit kits are readily available to launch the attack of your choosing. These kits supply the distribution and traf­fic services mentioned above, use the best exploit available to infect vic­tims’ machines and, if successful, run the customer’s malware. The exploit kit method essentially outsources distribution and infection to reliable, high-quality service providers at an affordable price.

Where Have All the Targeted Attack­ers Gone?

You may ask yourself: what happened to targeted attacks? The answer: ab­solutely nothing (and thank you for asking). In fact, targeted attacks to­day are easier than ever, as demon­strated by cyber attackers who do care about the identity of their vic­tims (like nation-states). Targeted at­tacks did not disappear - they’ve only been eclipsed by the attractiveness of the ROI of distributed attacks. Only when the profitability of targeted at­tacks can compete with the distrib­uted cybercrime business model will we see their rise to prevalence again.

There are initial signs that cyber­criminals are testing targeted attacks with malware more commonly used for distributed attacks, as evidenced by recent ransomware attacks on high-quality targets such as hospi­tals and hotels. The problem comes back to ROI: while cybercriminals demanded up to $5M ransom from one victim, the highest ransom paid by a single victim (as far as we know) was a meager $28K.

The Next Big Thing

What’s next for the innovative cy­bercriminal? My prediction: a hybrid business model with tailored ransom pricing. Imagine a mass-distribution platform doling out ransomware on a global scale that, when executed, will assess the victim’s environment. If that environment is a consumer’s machine, the calculated ransom will be relatively low; if it’s an enterprise network, considerably higher; if it’s critical infrastructure, astronomical.

Whatever the next big thing is in cybercrime, you can be sure it will be driven by ROI – nothing dictates the dark industry more than these three simple letters.