If crime doesn’t pay, some cybercriminals won’t know it. According to a Trend Micro report released Monday, a top cybercrime team member like Conti can earn about $1.1 million a year.
Because cybercrime groups don’t file reports with the SEC, the salary earned by a top moneymaker in a major criminal enterprise like Conti’s is Trend Micro’s best guess, based on leaked information about the group and its estimated revenue of $150 million to $180 million. : million.
“The facts gleaned from the declassified conversations paint a picture of the Conti organization that looks very much like a large, legitimate business,” Trend Micro researchers said.
“These criminals appear to have succeeded in building a complex organization with multiple layers of management and internal rules and regulations that mimic a legitimate corporation,” they added.
David Sancho and Mayra Rosario Fuentes’ report, “Cybercrime in the Halls of Business,” focuses on the revenue and organization of three different criminal groups: one small (under $500,000 in annual revenue) and the other medium (up to $50 million). and one large (more than $50 million).
Size effect specialization
Like any business, size affects how specialized a criminal organization needs to be, said Eric Skinner, Trend Micro’s vice president of market strategy.
“A small group will specialize in one area, either subcontracting other aspects of their operations, or specialty suppliers to larger groups,” he told TechNewsWorld.
“As the group grows,” he continued, “they can bring more of their in-house skills to reduce costs or gain more control over their supply chain.”
“Criminal organizations tend to mirror legitimate businesses because both are trying to maximize profits,” he added. “An organization that is not driven by profit, say an idealist or a terrorist organization, will often have different structures to reflect their different goals.”
As criminal organizations grow, they face many of the same ‘business’ challenges as legitimate organizations, including recruiting, training, software development, business development and marketing,” said Sean McNee, research and development director at Seattle-based Internet intelligence specialists DomainTools. vice president of data. .
“As such,” he told TechNewsWorld, “they have adopted many best practices and business models to address the same issues that legitimate organizations face in managing these challenges.”
A new type of startup
McNee said the cybercrime ecosystem is a competitive free market that is rapidly maturing.
“Relationships in this economy allow organizations to explore technical specialization, efficient models of interconnection and sales, and the possibility of effective scale,” he continued. “Cybercrime can then be viewed from the perspective of technology startups to capitalize on speed, rapid iterations, product-market fit and business partnership formation.”
Criminal organizations aren’t that different from for-profit corporations, argues John Bambenek, principal threat hunter at Netenrich, an IT and digital security operations firm in San Jose, California.
“They need to organize people and processes to accomplish the mission of making money,” he told TechNewsWorld. “They’re just willing to use criminal tools to get there.”
Traditional business models not only have a proven track record of success, but they scale well, added Erich Krohn, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Florida.
“When dealing with criminal groups, there needs to be a clear demarcation of authority and there need to be checks and balances to make sure that these criminals don’t steal from their own cybercrime organization,” he told TechNewsWorld. “Organization and clearly defined mandates are key to ensuring smooth operations.”
The report notes that determining the size of an organization can be important information for law enforcement.
It explained that knowing the size of a targeted criminal organization can prioritize which groups to pursue over others to achieve maximum impact.
“Also, note that the larger the organization, the less vulnerable it is to capture, but the more prone to manipulation,” the researchers wrote.
“Data collection techniques are vital,” they continued. “.
“As soon as private information is leaked, relationships of trust between group members and their external partners can be irrevocably damaged,” they added. “At that point, re-establishing trust is much more difficult than changing IP addresses or switching to a new Internet provider.”
Crone noted, however, that well-organized cybercrime operations will be much tougher for law enforcement to penetrate and gather information.
“They can keep higher-level management more secure by having multiple levels of culpability under them,” he said. “As with street drugs, it’s usually the low-level, street-corner dealers who are arrested, while the kingpins and big traffickers are isolated.”
Trickbot and Conti were recruited at technical universities and legitimate job-seeking sites, and it’s likely that those recruits were unaware of the jobs they were supporting, added Andras Toth-Chifra, senior analyst at Flashpoint, a global threat intelligence firm.
“The arrest of one individual may not necessarily endanger the organization because lower-level employees may not be aware of the work they are supporting,” he told TechNewsWorld. “Analysts have observed similar tactics being used to recruit unwitting money mules.”
With increased organization and specialization, cybercrime groups are moving faster and more efficiently at each stage of an attack, Skinner noted.
“While most attacks still start with phishing or exploiting vulnerable Internet assets, we are seeing an increase in supply chain attacks,” he added.
“And,” he continued, “we’re seeing an evolution of extortion tactics beyond destructive ransomware to a greater focus on threats to export data and expose sensitive information to the public.”
“What we’re seeing is a shadow economy developing,” McNee added.
He noted that recent trends focus on the specialization and division of labor within groups as they gather the resources they need to grow and mature their criminal enterprises.
“Cooperation has always been a hallmark of many of these groups,” he said. “With consolidation in some larger organizations, their ability to develop certain capabilities internally has increased.”
“As the rescue-as-a-service model has grown, so has customer support and their ‘customer success’ and support marketing,” he added.
One of the fascinating things about cybercriminals is the speed with which they adopt the latest technologies, noted Andrew Barratt, solutions and investigations manager at Coalfire, a cybersecurity consulting services provider based in Westminster, Colo.
“A few years ago we were aware of criminals using AI and machine learning to do language processing, all pre-chatGPT, to mimic the email used by their targets.
“They are cloud-friendly, globally diverse, and in many cases willing to take risks with new technologies because the rewards can be so high,” he added.