BLUF

Cyber criminals’ business models are evolving, often drawing on practices borrowed from the very businesses they attack. This should give hope to the victims of cyber crime because a more structured and formalised cyber crime marketplace is easier to scrutinise, realign, regulate, and possibly decimate, especially if state actors get involved in countering strategies.

Background

The recent rise in public statements given by ransomware-as-a-service organisations (and the Darkside shutdown) give an interesting picture of how the cyber crime sector is maturing.

Since the money made through such crimes is becoming substantial and sustainable – cash-outs aside – cyber criminals are creating their own business models largely based on traditional practices – borrowed from the very businesses they are attacking.

A few observations:

1. Public affairs/ Reputational Risk: DarkSide, the ransomware gang that had earlier hit the Colonial Pipeline claimed that it was not looking to target “medical facilities, funeral services, educational establishments, non-profit organisations, and governments“. They then followed it up with a statement on the website where they leak data that said: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives. Our goal is to make money. and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future. This tactic, even though it may have been adopted after feeling the heat from law enforcement, is a move towards trying to develop a more public persona for the organization and to mitigate reputational risk, as it were, which in their case may lead to punitive action from state actors with meaningful counter-attack capabilities.
2. Target markets: Preying upon the masses by low sophistication botnets was a thing, but now the attacks are more targeted. Cyber criminals can be in your systems for some time, figuring out if your organization has cyber insurance, how best to hamstring your operations to get you to cough up. In other words, there is now a clear ROI calculation in the mix. In certain sectors, attacks coincide with their highest revenue generating periods or crucial public financial reporting windows. If the cyber criminal has more sophistication and your organization – an SME or a big company – appears to have money but also bad luck, it will reach for you in a sophisticated, targeted attack.
3. Vendor solutions: You want to launder your bitcoin? The cyber criminals have a vendor for that. You want to purchase access to an organization? There is a vendor for that, TA505 being a prime example of this kind. You buy card numbers but do not know what to do with them? There is a vendor who will “help” you with that. The cyber criminals no longer hire every skill in their own team. They turn to others, subcontracting specialised services to them. In other words, cyber crime is maturing like any other market creating specialised criminals with their own niches. These specialised outfits are are reliant on one another, selling products and associated “services”, conducting operations much like legitimate organizations do.
4. Ethics: Much as the cyber criminals wish to position themselves publicly as being socially responsible or apolitical, and not attacking certain kinds of targets on ethical grounds, it is debatable whether it is actually driven by ethics or by concern about possible repercussions. But it is increasingly happening.

Solutions are ever present with the growth and development of cyber crime business models and this offers the victims hope which may not previously have been present.

There is talk of hacking the cyber criminals back. Corporations that usually operate in a cut-throat environment are well-resourced for cyber security as defense. Offensive (or active defense, whatever you want to call it) cyber is a very different animal, perhaps not the best use of corporate resources. We already get tripped up extending past our corporate borders for security. Offensive corporate cyber security practices would be archipelago islands individually defending against invasion.

The casualties from friendly fire (and litigation) would exceed attacker damages.

Corporate sectors have other tools to deal with cyber crime’s developing maturity, ones they know well. Legal and ethics aside, we could use cutthroat business practices for good (for a change), squeeze them out via capitalism. Public affairs, M&A, audit… these may become the new heroic defenders – or attackers the criminals never see coming. Whole worlds of possibility are here, bringing a cold backlash to criminals the likes of which they’d never dreamed.

And if we really wanted to cause criminals damage, we could unleash the force of regulators…

-scl