Skip to content ↓ | Skip to navigation ↓

“Should we fear hackers? Intention is at the heart of this discussion.” – Kevin Mitnick

In cybercrime, truth is in the eye of the beholder. And if in any other research or business field it is somehow easy to define cause and consequence, in cybercrime it is not.

Perhaps it is due to its complexity and multi-layered character that cybercrime has become a business more profitable than the drug trade. According to the 2013 Europol Serious and Organized Threat Assessment, the total global impact of cybercrime has jumped to $3 trillion, making it more lucrative than the global trade in marijuana, cocaine and heroin combined.

In that sense, a financial loss to one is profit to another.

On the other hand of these criminals’ profits are businesses’ losses due to malware attacks, data breaches and IT security-related incidents that all help shape cybercrime’s platinum status. In many cases, the nightmare begins with a single maliciously crafted email.

Cybercrime is indeed the biggest threat to companies and organizations – be it commercial or bureaucratic. Its unprecedented success proves that classical cyber-protection approaches fail more often than not, and that threat actors and attack initiators are frequently found where least expected (i.e. within the organization).

Annual reports systematically imply that cybercrime expenses will continue to skyrocket to the point where it may be too late to ask questions and derive conclusions (but truth needs dialogue and dialogue needs questions):

  • Targeted attacks wouldn’t be nearly as successful if it wasn’t for privileged access often granted to users without a second thought. An industry analyst report by Forcepoint and Ponemon Institute recently proved that privileged users are the riskiest in an organization.
  • A recent report by Cybersecurity Ventures predicts that annual computer crime costs will jump to $6 trillion by 2021.
  • According to a 2014 report by McAfee (PDF), the annual cost to the global economy from cybercrime is more than $400 billion.
  • According to a 2015 report by British insurance company Lloyd’s, businesses lose some $400 billion a year due to cyber-attacks. Losses include direct damages and post-attack disruptions, which both affect the course of normal internal processes.
  • Another 2015 report by market analyst Juniper Research suggests that the accelerated pace of digitization of both personal and enterprise records will increase data breach expenses to $2.1 trillion by 2021 on a global level – a number which is four times bigger than the estimated cost of breaches in 2015.

Ransomware alone, such as the currently active Zepto virus, make millions out of cyber extortion. The FBI says that ransomware operators collected $209 million in the first quarter of 2016.

On one hand, these losses may even be bigger when related costs from the same attacks are added to the loss equation. On the other, some victims prefer not to report the crime and deal with it on their own (meaning the number could be even bigger).

Shortly said, cyber crime is profitable, and all these ghastly numbers serve to depict its increasing effect on the world economy.

But Who Generates All This Money?

To be able to fully comprehend the machinery behind the digitalized mask of the devil, we need to personalize the subject. After all, what’s more personal than a person?

Indeed, the bad guys of cyber crime are individuals with their own vulnerabilities and motivations. But they are often not nearly as experienced as the devil, and they can be motivated by reasons beyond quick cash.

The biggest dangers to businesses are often related to the most conspicuous types of cyber criminals, such as…

The (H)activist

The hacktivist chooses to target his enemies with data theft, reputational damage, and the defacement of websites and denial-of-service attacks. Hacktivism is a real challenge to international affairs and is a powerful instrument. The very fact that hacktivism is a form of protest it a double-edged knife.

Today’s hacktivists are found all over the world, supporting all sorts of causes. And even though hacktivism attacks are not directly related to money loss, there is often something bigger going on behind website defacement or denial-of-service attacks. Eventually, however, it all leads to money leakage.

The Privileged Employee, or the Insider

The name speaks for itself. The insider, often an employee with privileged access to sensitive data, may willingly or unwillingly be part of a cybercrime operation.

The insider may compromise the company they work for on purpose through sloppiness or through external influence. Alternatively, they may have been a victim of a scam or blackmail.

This ambiguity of his nature often makes insiders the hardest to foresee and counter. In other words, cyber-defense should start with the insider.

The Money Mule

No crime can function without mules, cybercrime included. Mules are the final link of a successful cybercrime operation. They are the ones making the dirty money ready-to-use and untraceable. This is often done via internet payments, money transfers, or online auctions.

Mules are typically motivated by greed or desperation. They often work from home, random Internet cafés, or free WiFi hotspots to hide their activities. They are the ones transforming the profits of Internet-based criminal activity into untraceable cash.

Money mules are recruited across the globe and are crucial to money laundering schemes. In Asia and Australia, they are mostly overseas students, while in Europe, they are usually retirees.

Let’s take the Cerber ransomware campaign.

Cerber operators not only demanded Bitcoin payments but also ran the currency through multiple Bitcoin wallets. This is what a Bitcoin money laundering scheme looks like, a form of money laundering to ensure the safety and gain of cybercriminals.

In the case of Cerber, security researchers observed thousands of victims’ Bitcoin wallets transferred into one. From there, the money was relocated to tens of thousands of other wallets. This is called a mixing service, and it’s pretty standard for Bitcoin. This also explains why and how ransomware has become cybercriminals’ favorite tool for online extortion.

The Real-Deal Black Hat

If a hacker’s hat color is defined by their intentions, the black hat is straightforward bad and, in most cases, straightforward professional. The black hat is the one responsible for that fake tech support call, that undecryptable ransomware and those harvested banking credentials. The black hat has dedicated all his life to cybercrime, and it’s safe to say that he knows human psychology all too well.

Beyond everything else, nowadays black hats are also businessmen who operate a business model called malware-as-a-service (MaaS), or the outsourcing of cybercrime. The worst part is that thanks to MaaS, now every wannabe is welcome to join cybercrime’s vast family.

Ransomware-as-a-service (RaaS), particularly, is the worst. Even though not everyone operating a RaaS scheme is professional enough to deliver a working and sophisticated encryption, its proliferation demonstrates the enormous income a black hat can generate. According to security firm Trustwave, a black hat could easily make $84,000 a month from an investment of $5,900 for the malware they need.

In 2014, Interpol diminished a crime ring operating the Blackshades malware. The criminals behind it were so sophisticated that they had staff and were handing out salaries! They even had a marketing director.

This is not the first case of a cybercrime gang going fully professional. A real-deal black hat would even hire IT experts for the very same reasons that legal companies do. A black hat’s supply chain also needs optimization and propagation.

Where Does the AV Industry Stand in All of This?

On the other side of cybercrime and underground markets is the antivirus industry. According to Gartner, global security software revenue totaled $21.4 billion in 2014, a 5.3 percent increase from 2013 ($20.3 billion).

This is contrary to multiple claims of the AV industry getting closer to its death. This segment is not dead; it is just transforming alongside the evolution of cyber-threats.

That being said, security information and event management (SIEM) was the fastest-growing segment of the global security software market in 2015, according to another Gartner report. In addition, sandboxing, cloud-based solutions, anti-ransomware, and second generation software are what the user needs to invest in today to be protected tomorrow.


Milena DimitrovaAbout the Author: Milena Dimitrova is an inspired writer for who enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malicious software, she strongly believes that passwords should be changed more often than opinions. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.