The reality of hackers and their business model
Picture this: it is the middle of the night and inside a dark room with blinds closed there is a person sitting at a desk, sweats on, hood up, face a few inches from a lit up computer screen. You may ask, what is this person doing? Many would not bother asking such a question because it seems obvious, this person is clearly hacking into Google. Although media and movies portray hackers as such, this is largely not true. In reality, hackers are business people and often target SMBs just as much as larger organisations. A 2018 survey done by the Ponemon Institute found that 58% of SMBs in the US and the UK they studied reported a data security breach. Targeting an SMB may seem like a waste of time, but it all makes sense once you understand the business model of a hacker.
What exactly is a hacker business model? It involves different players similar to any other business. These players are often identified as researchers, farmers, dealers and consumers. Researchers search for vulnerabilities within different systems (focusing on those that could optimise botnet infections, where a botnet is a network of computers that are infected with malicious software to be used on attacks without the owner’s knowledge). Farmers write the botnet software in order to increase the number of systems available for a botnet attack. Dealers perform the actual attack. They pay farmers to rent botnets and use these to perform their attack. Consumers then turn the data into money, usually bitcoin. Although every attack that happens may not involve all four of these players, it is important to recognise that attacks are often organised similar to other business activities (legal or not).
Businesses have strategies for increasing profits and productivity, and hackers are no different. They log and measure the effectiveness of their operations in order to better manage their attacks. Hackers build software that can be used more than once in order to save time and even advertise it to other hackers or even the mainstream community who can use it with no prior knowledge of hacking. They then rent out the software to others for money or give it out for free but require a portion of the data that is acquired using their software. There are forums similar to websites such as Craigslist for hackers to sell and buy such software, although one must be vetted to gain access to such websites.
An example of such a network is a Russian hacking group called RIG. Within their model, they have a manager that rents out exploit kits to others or give them to resellers to find their own customers to rent these kits out to.*
Hackers have their own community and have to trust one another at times when renting another’s hacking software, but they still compete with each other like any other industry. For example, hackers will delete software off the web so others can’t use it. In one situation, a hacker built specific software for attacks and allowed other hackers to use it but unknown to them, all of the data they recovered was visible to the master hacker who could them exploit the data for money.*
Every business needs to ensure it has adequate backs ups and insurance. Should they have insurance in place, a business can notify their insurance provider who will take of everything, significantly impacting on the business costs and disruption. As part of that insurance, regular back ups and security systems will be expected and can therefore mitigate the potential loss of an attack. The overall common advice for businesses is to not pay the ransom for their data, either because it will encourage hackers to continue their business or because they probably won’t get their data and files back even though they paid but this decision will vary from business to business based on your risk planning for such an event.
Even though the base of the business model of hackers is illegal (stealing data), ethics play a role within the model. If a business pays the ransom for their data and the hacker finds that they can not recover the data, there is a good chance the hacker will refund the money they were given. This builds trust for the hacker. If word spread that a certain hacker does not give you back your data after you pay, many businesses would be convinced not pay if they get attacked.
Another tactic is giving a business a file or a little of their data back before they pay. This allows the hacker to prove that they can recover the business’s data, so it is worth it for the business to pay the ransom. The catch is that the business can’t choose what data or file is recovered, so overall the freebie does not help them. Hackers will also offer support to a business to help it recover its data after they pay, in case the business is struggling with the recovery process.
There is still the question as to why hackers target SMBs just as much as larger organisations. The ultimate goal of a hacker is to get as much data as possible because for them, data is money. Larger businesses have more data, so why even bother with SMBs? The main reason is because hackers know that SMBs have less security over their data and assets, and since they can automate attacks, it is a much quicker and easier process to attack SMBs overall. SMBs often do not see themselves as a target and face different challenges with securing their data compared to larger organisations. Mostly, it is due to a lack of resources for training and implementing secure software that cause SMBs to turn their face away from protecting their data.
The business of hackers has much more similarities to legal businesses than one might think. Hackers form an organised community that allows them to more efficiently attack businesses by sharing malicious software and automated attack systems. Knowing the intricacy to such cyber attacks, businesses should secure their data because all businesses, no matter the size, can end up as a target for hackers.