• United States




Preparing for the professional cybercrime industry

Mar 13, 20174 mins
Application SecurityCybercrimeSecurity

Ransomware has made hacking a real job. This is how you need to respond

Cybercrime has become big business. These days, you’re not protecting your information systems from a guy in his basement who hacks random websites for the thrill of it. You’re up against full-blown professional cybercrime “companies” that employ everyone from customer service reps to graphic designers.

Brian Krebs recently published a story mentioning a “slick and professionally produced video advertisement” for a new ransomware-as-a-service package. What does this mean for IT professionals? It means cyberattacks are becoming more effective and more numerous, and you may need to change your security strategy.

Why are cyberattackers going pro?

Put simply, hacking is now a lucrative business due to changes in today’s technology landscape. For example, all of our businesses run on software and internet connectivity. We have become dependent on these technologies, and without them, things grind to a halt. Cyberattackers know both the value businesses place on their sensitive data and keeping their businesses running. It has, therefore, become worth their while to spend money and energy creating scalable and streamlined cyberattacking operations.

In some parts of the world, hacking is the best use of technical skills. Economic challenges in countries like Russia, caused by falling oil and commodity prices, have driven more people with technical knowledge to turn to hacking as a way to make money.

Furthermore, the process is getting easier as the payoffs get bigger. There are numerous tools, including vulnerability scanners and ransomware exploit kits readily available for free or for a reasonable price that make a cyberattacker’s job really easy. Additionally, more and more of the hacking process is automated, which means hackers need less technical skill to execute a successful hack.

The evolution of cybercrime

Important to note is that those involved in professional cybercriminal activity are not traditional cyberattackers.

Cybercrime is now an “industry” with a well-defined ecosystem, role specialization, and all the trappings of any other industry. Those working at the “companies” in this industry fill such roles as creating and marketing the tools to perpetrate cyberattacks (e.g. creating malware kits, offering botnets for hire); stealing sensitive data with these tools; and collecting the pay outs.

Take ransomware, for example. This fairly new subset of the malware market is like a business in any industry in startup mode—filled with rapid expansion and innovation.

In fact, the ransomware market has become professionalized to the point that these “companies” are employing graphic designers and professional negotiators to streamline the process of explaining to victims their options and procedures in paying the ransom. They are actually conducting market research on the collections process to fine-tune the “presentation layer” of the ransomware transaction. And these criminals collaborate and share information often better than the companies and nations they are targeting. For example, they are creating and sharing sophisticated rating systems to judge the quality of malware tools.

How should we respond?

On the bright side, ransomware—especially as it gets more and more professional and effective—is a stimulus for businesses to get their act together when it comes to security. It might be cheaper to pay the ransom than restore the data once, but not to keep paying it over and over again. Overall, the situation is going to get worse before it gets better as businesses figure this out.

The best defense is getting back to the security basics we’ve been talking about for years:

  • Write high-quality software that’s not going to get easily hacked using common attack methods, like automated vulnerability scanners
  • Set strong user controls
  • Minimize the surface area of risk by monitoring web applications and network proliferation
  • Establish good internal detection and response capabilities

Remember, do not get complacent. Security is a moving target and the cybercrime pros have the time and resources to figure out new ways to breach your systems. The explosion of ransomware is probably due in part to the success of PCI regulations that have made stealing credit card information harder, forcing hackers to turn somewhere else. Cyberattackers are creative and will continue to move to where the risk/reward ratio is highest. Complacency is dangerous because the biggest risk long-term (as we saw in recent IoT-based DDoS attacks) is the creativity of adversaries to use emerging technologies in destructive ways that we have not yet anticipated.


Chris Wysopal is CTO at Veracode, which he co-founded in 2006. He oversees technology strategy and information security. Prior to Veracode, Chris was vice president of research and development at security consultancy @Stake, which was acquired by Symantec.

In the 1990s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified before the U.S. Congress on the subjects of government security and how vulnerabilities are discovered in software.

Chris holds a bachelor of science degree in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

The opinions expressed in this blog are those of Chris Wysopal and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.