If crime doesn’t pay, some cybercriminals wouldn’t know it. A top team member in a cybercrime outfit like Conti can make an estimated US$1.1 million a year, according to a report released Monday by Trend Micro.
Since cybercrime groups don’t file reports with the SEC, the salary earned by a top money maker in a large criminal enterprise like Conti represents a best guess by Trend Micro based on leaked information about the group and its estimated revenue of $150 million to $180 million.
“Facts extracted from the leaked conversations paint a picture of the Conti organization as closely resembling a large, legitimate business,” Trend Micro’s researchers noted.
“These criminals seem to have managed to build a complex organization with many layers of management and internal rules and regulations that mimicked that of a legitimate corporation,” they added.
The report “Inside the Halls of a Cybercrime Business,” by David Sancho and Mayra Rosario Fuentes, focuses on the revenues and organization of three distinct criminal groups — one small (under $500,000 in annual revenue), one medium (up to $50 million) and one large (more than $50 million).
Size Influences Specialization
Like any enterprise, size influences how specialized a criminal organization needs to be, observed Trend Micro Vice President of Market Strategy Eric Skinner.
“A small group will specialize in one area — either subcontracting other aspects of their operation or being niche providers for larger groups,” he told TechNewsWorld.
“As a group gets larger,” he continued, “they can bring more of the niche skills in-house to reduce costs or to have more control of their supply chain.”
“Criminal organizations tend to mirror legal business because both are trying to maximize profits,” he added. “An organization not driven by profit, say an idealist or terrorist org, will often have different structures to reflect their different goals.”
As criminal organizations grow, they face many of the same “business” challenges as legitimate organizations, including recruiting, training, software development, business development, and marketing, noted Sean McNee, vice president of research and data at internet intelligence specialists DomainTools in Seattle.
“As such,” he told TechNewsWorld, “they have adopted many best practices and business models to address the same issues facing legitimate organizations in managing these challenges.”
New Kind of Startup
McNee said the cybercrime ecosystem is a competitive free market that is maturing rapidly.
“Relationships in that economy allow for organizations to explore technical specialization, efficient affiliate and sales models, and the ability to scale effectively,” he continued. “Cybercrime operations could then be viewed in terms of tech startups — capitalize on speed, rapid iterations to product-market fit and forging business partnerships.”
Criminal organizations aren’t that different from for-profit corporations, maintained John Bambenek, principle threat hunter at Netenrich, an IT and digital security operations company in San Jose, Calif.
“They need to organize people and processes to accomplish the mission of making money,” he told TechNewsWorld. “They simply are willing to use criminal tools to achieve that.”
Not only do traditional business models have a proven record of success, but they scale well, too, added Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Dealing with groups of criminals, there needs to be a clear delineation of authority, and checks and balances must be in place to ensure that these criminals aren’t stealing from their own cybercrime organization,” he told TechNewsWorld. “Organization and well-defined authority are key in ensuring a smooth-running operation.”
The report noted that determining the size of an organization can be an important piece of information for law enforcement.
It explained that knowing the size of a targeted criminal organization can lead to prioritizing which groups to pursue over others to achieve maximum impact.
“Also, bear in mind that the larger the organization is, the less vulnerable it might be to arrests but the more prone to manipulation,” the researchers wrote.
“Data-gathering techniques are vital,” they continued, “If there is something that the leaked Conti chats have taught us, it’s that information disclosure can be far more powerful in crippling a group’s operations than server takedowns.”
“Once private information is leaked, the trust relationship between group members and their external partners can be irreversibly eroded,” they added. “At that point, reestablishing trust is much more difficult than changing IP addresses or switching to a new internet provider.”
Sacrificing the Skels
Kron pointed out, however, that cybercrime operations that are well organized will be much tougher for law enforcement to penetrate and gather information on.
“They can keep the higher-level leadership safer by having many levels of culpability beneath them,” he said. “Just like with street drugs, it’s generally the low-level, street corner sellers that get arrested while the kingpins and large-scale traffickers are insulated.”
Trickbot and Conti recruited at technical universities and legitimate job search sites, and it’s likely those recruits weren’t aware of the work they were supporting, added Andras Toth-Czifra, a senior analyst at Flashpoint, a global threat intelligence company.
“The arrest of one individual may not necessarily compromise an organization since lower-level workers may not be aware of the work that they are supporting,” he told TechNewsWorld. “Analysts have observed similar tactics being employed to recruit unwitting money mules.”
With increased organization and specialization, cybercrime groups are moving faster and more effectively during each stage of an attack, Skinner noted.
“While the majority of attacks still start with phishing or exploitation of vulnerable internet-facing assets, we are seeing a rise in supply-chain attacks,” he added.
“And,” he continued, “we are seeing an evolution in extortion tactics, beyond destructive ransomware, with more focus on data exfiltration and threats of public disclosure of sensitive information.”
“What we’re seeing is a shadow economy developing,” McNee added.
He noted that recent trends focus on specialization and division of labor within groups as they garner the resources they require to grow and mature their criminal enterprises.
“Collaboration has always been a hallmark of many of these groups,” he said. “With the consolidation in certain larger organizations, their ability to develop certain capacities in-house has grown.”
“With the proliferation of the ransomware-as-a-service model, client support and marketing of their ‘customer success’ and support have also grown,” he added.
One of the fascinating things about cybercriminals is the speed at which they adopt cutting-edge technology, observed Andrew Barratt, managing principal for solutions and investigations at Coalfire, a provider of cybersecurity advisory services based in Westminster, Colo.
“A couple of years ago, we were aware of criminals making use of AI and machine learning to do language processing — all pre-chatGPT — to mimic the language used in emails used by their targets.”
“They are cloud-friendly, globally diverse, and in a lot of cases, willing to take risks with new technology because the payoffs can be so high,” he added.