You don’t have to be a hacker to hack.
Much like legitimate businesses must pay for the various inputs that make up their offerings, cybercriminals rely on products and services — some legitimate and some purchased on the dark web — to conduct their operations.
A report published Friday by Deloitte, titled “Black Market Ecosystem: Estimating the Cost of ‘Pwnership,'” paints a picture of an underground economy of tools for cybercriminals and assesses how actors in this space adapt and innovate much like legitimate businesses would invest in their own services.
“The underground economy is a diverse but interrelated ecosystem where nearly all criminal enterprises incorporate a mixed assortment of tools and services,” the report says. “This same concept is reflected in legitimate markets where businesses and economies focus their effort on the production of a limited scope of products or services to achieve productive efficiencies, increase quality, and reduce costs.”
Someone running a cybercriminal operation — whether they’re focused on to stealing private information, or extorting victims for ransom payments — typically does not need much technical expertise, according to the report.
“For every category of criminals, a product almost certainly exists which caters to their needs. This holds true whether the criminal is a novice looking for entry level products, to practitioners capable of modifying and customizing their tools, to the seasoned experts who often offer skills developing custom products. However, the cost of these products does not necessarily correlate to the skill level of the threat actors who purchase them,” the report says.
Costs are based on the complexity and level of customization required for each tool, Deloitte says.
The price to purchase the components to run a phishing and data harvesting operation can run from $28 to $1601, based on Deloitte’s analysis of real services available for purchase. Those services include purpose-built tools like phishing kits, as well as the infrastructure used to host the operation, and the vectors used to deliver spam or social engineering messages.
More complex operations cost more. Deloitte estimates that a ransomware campaign, for example, could cost between $391 and $1,044. That includes tools like the ransomware payload, a downloader, file encrypting tools, hosting services and a distribution method.
The criminals’ costs pale in comparison to the damage that can be done to victims. Individual organizations can lose millions of dollars to a successful cybercriminal operation, Deloitte found. Researchers estimated earlier this year that the annual economic damage done by cybercrime totals roughly $600 billion.
Because cybercriminals rely on many of the same tools and methods, Deloitte researchers say that the market responds predictably when popular services become unavailable. The takedown of a popular botnet by law enforcement can result in a shift to similar kind, for example. But underground buyers and sellers have proven innovative and resilient, Deloitte says, and simply targeting individual tools is not likely to curb attacks.
The researchers argue that to significantly mitigate the damage done by cybercrime, defenders should take an approach that focuses not just on taking down specific tools, but also on detecting certain types of hacker behavior.
“Monitoring and tuning security controls based on tactics, techniques and procedures derived from threat intelligence — rather than atomic indicators — can have a direct impact on the underground market by forcing threat actors to reinvent their operations from scratch, which can take significant amounts of time, effort and money; and ultimately challenge the adversary’s cost-benefit scenario,” the report says.