Cybercrime-as-a-Service: Prices and Offers

The cybercrime industry cost the world three trillion dollars in 2015 and is projected to increase to six trillion by 2021. All costs are included here - for example, in an attack that uses ransomware like GandCrab v5.1, we consider not only the amount of the ransom paid but also the costs of reduced equipment productivity, the subsequent increase in security measures, reputation damages, etc.

Cybercrime-as-a-service is not something fundamentally new. Malware developers offer their products or infrastructure on the black market. But what exactly do they sell and how much does it cost? We looked at several sites on the darknet to find answers to these questions.

Ransomware-as-a-Service

A lot of different packages for ransomware creation and distribution are available on the darknet. Updates, technical support, access to C&C servers, are included. Tariff plans resemble "white" software, with the exception that it is completely illegal.

For example, as part of one of the packages, a ransomware virus called Crysis is offered. It is available on monthly subscription. There are several tariff plans. The minimum fee starts from $120 per month. Premium tariff is $900 or $1,900 if the customer wants to add additional functions to the executable file of the program.

Another payment scheme is also possible. Cybercriminals provide malware or access to the C&C infrastructure for free, but they take away some of the funds received from victims.

Whatever strategy is used, we see that the tenant takes on further operations with malware. He needs to deliver the program to the victim's device, for example, using spam email campaigns or get access to vulnerable servers via RDP.

Selling access to servers

Darknet can help you find services that offer credentials for accessing servers through the RDP protocol. The price is in the range of 8-15 dollars for one server. Accounts are sorted by country, operating system, even payment sites users visited using these servers.

For example, researchers found one seller offering 250 available servers located in Colombia. For each server, detailed information is provided. After buying access, a cybercriminal can use it to launch a ransomware program or install other malware, trojans or spyware.

Infrastructure rental

Some botnet operators offer their computing power (bots) to clients who wish to send spam or launch DDoS attacks.

The cost of such services varies depending on the duration (ranging from 1 to 24 hours) and how much traffic a botnet can generate during this timeframe. Average offer costs $60 for a three-hour attack.

Some hackers offer to rent their (usually small) botnets for attacks on online game servers. Some other hackers sell stolen gaming accounts. Social networks are used to promote such “services.” Account holders are not particularly worried about police. They hide their identities behind fake personas and use VPN, TOR and other anonymizers.

Selling PayPal Accounts and Credit Cards

Operators of successful phishing attacks do not like to take a risk and use stolen accounts on their own. It is safer to resell them to other cybercriminals. They simply take about 10% of the funds stored on the compromised accounts.

During a presentation at Segurinfo 2018, the ESET security evangelist Tony Anscombe noted that the malware development industry now resembles software industry. Software offered by cybercriminals, their products and services successfully use schemes borrowed from "legal" sales and marketing spheres.

The darknet is a full-fledged industry with sales, marketing, after-sales services, software updates, and manuals. There are a lot of sellers and buyers there. The main profit goes to the big players with the most developed network infrastructure. As a result of the development of this "dark industry" malware becomes available to broad categories of Internet users. It is not necessary to be a programmer anymore, even children can buy malware or rent botnets.