06.03.2025
23 min
606
Modern cybercrime is rapidly evolving, leveraging the latest technologies, service-based business models, and automated attacks. Ransomware-as-a-Service (RaaS), Phishing-as-a-Service (PhaaS), and Exploit-as-a-Service (EaaS) are already available on shadow markets, allowing even inexperienced attackers to carry out sophisticated cyberattacks.
At first glance, cyberattacks may seem like a low-cost endeavor, but in reality, training and purchasing tools can be expensive, especially for novice criminals. The chart below outlines the cost of training (assuming a novice criminal) for one of the most popular attack vectors among attackers.
At this stage, attackers need to purchase all the tools and services to carry out a cyberattack. The first step is to create an infrastructure. To do this, they purchase proxy servers and VPNs, as well as rent dedicated servers to create an anonymous and secure environment for managing attacks. The next stage is to purchase tools. One of the key elements is the purchase of CobaltStrike post-exploitation frameworks and a bootloader. In order to make the VPO completely undetectable (FUD – Fully Undetectable) by antiviruses, attackers also purchase EV certificates for signing files and crypters.
Realizing that their skills may not be enough (if we are talking about beginners), cybercriminals seek advice on setting up the entire infrastructure and using CobaltStrike. In addition, they can join a gang of cryptographers to use ready-made malware and not develop it themselves. As we found out, to join a group, it is not enough just to have the desire, you also need: an entry fee and a reputation in the underground. Therefore, attackers can buy either the source code of the encryptor or the builder.
To gain access to the organization’s infrastructure, criminals can go in several ways: send phishing messages to victims, search for vulnerabilities on the network perimeter, or buy access to shadow resources. For example, attackers can scan open ports for outdated or vulnerabilities. If no known vulnerabilities are found in the system, hackers can use privilege escalation services available on shadow markets.
The preparatory stage requires significant costs. The total costs for infrastructure, purchase of tools and services, as well as consultations can be from $ 20,000. Note that the price may vary depending on the products purchased. Using a RaaS encryptor means that 10-30% of the final ransom goes to the malware developers.
According to Coveware, in Q2 2024, the average ransom amount increased to $391,015 (up 2.4% from Q1 2024), while the median ransom amount decreased to $170,000 (down 32% from Q1). Therefore, cybercriminals can receive $120,000-150,000 after paying commissions to software developers. If you subtract the costs of all the necessary tools and services, the net profit of the attacker can be $100,000-130,000 in the event of a successful attack.
For organizations, the consequences of such attacks can be much more serious than the ransom payment. For example, in June 2024, technology company CDK Global was the victim of an extortion attack that paralyzed the company’s servers for two weeks. The incident resulted in a sales freeze for about 15,000 auto dealers across the U.S. The company paid a $25 million ransom, and dealers’ financial losses due to CDK’s system downtime in the first two weeks are estimated at more than $600 million.
As you know, since 2015, services on shadow resources have begun to take over subscriptions from legal businesses. In the course of this transformation, various subscription business models have emerged, we will highlight the four most popular approaches: MaaS (Malware-as-a-Service), RaaS (Ransomware-as-a-Service), PhaaS (Phishing-as-a-Service), DaaS (DDoS-as-a-Service). Thanks to the advantages of the subscription model of product distribution, a modern attacker no longer needs to independently develop the necessary tools for attacks. Now the underground is more like a legal business, where customer support is provided, regular updates are released (as we found out above).
With each quarter, we note the emergence of new services. For example, phishing kits distributed using the PhaaS (Phishing-as-a-Service, phishing as a service) model: Tycoon 2FA or ONNX And some of them become a big problem for organizations. In the summer of 2023, Proofpoint warned of a major campaign in which one of the phishing kits sent about 120,000 fraudulent emails to hundreds of organizations around the world. It is quite significant that Proofpoint experts noted the use of this tool by the TA4903 group.
Next, let’s analyze how the underground market continues to develop now.
The underground ecosystem has its own monopolist in the field of decryptors (most of the well-known big players advertise their products there). But access to the forum is granted to users with a high reputation on other large shadow forums or by paying a fee of $ 500. As we discussed earlier in the study, this move cuts off a number of casual users. It is worth noting that many English-speaking underground platforms do not prohibit the advertising and sale of ransomware. This approach creates a separate market for cheap ransomware.
Due to their low cost, such IDPs are widely available and reach a wide audience. Unlike the complex infrastructure of large ransomware, budget malware allows cybercriminals to operate cheaply and independently. They can target small and medium-sized businesses that are unlikely to have the resources to protect themselves or respond effectively to incidents.
After a successful cyberattack, attackers may demand a small ransom (compared to larger industry players). This encourages companies to pay, for example, a few thousand dollars, as this will be much less than the costs of investigation and data recovery.
It is worth noting the difference in the cost of the source code of similar ransomware. For example, on one of the shadow forums, the price of the source code of the encryptor was listed in the ad at $8,000, which is almost 38 times less than the cost of its “big brother” Inc Ransom.
The median cost of source code for cheap encryption tools on one of the shady forums is $400. The price can start at $50.
Attackers are actively adapting their methods to increase the effectiveness of attacks. One of these steps was the creation of shadow analogues of popular services for checking files for malicious activity. As you know, legal sites allow users to upload files and check them for the presence of various viruses using a variety of antivirus engines.
The main difference between shadow file checks and legal analogues is only that legal sites share data with companies that develop antiviruses. In order not to do this, unethical hackers have created underground analogues that work on the same principle: they analyze files for detection by antiviruses, but do not transfer the results to organizations that develop antiviruses.
Such solutions once again demonstrate how the underground market is evolving, adopting technologies from legal businesses to increase efficiency and meet the needs of cybercriminals.
The cost of one file scan is $0.1. If an attacker needs to scan a large number of files regularly, a monthly subscription starting at $25 is offered.
For example, in January 2024, cybersecurity company Trellix analyzed one of the ransomware programs. But what is noteworthy here is not the analysis itself, but the announcement of the malware on one of the shadow forums. While advertising the encryptor, the attacker offered to customize the ransomware for each individual attack. Thanks to this (using a builder), the malware becomes better prepared to attack a specific target. This significantly increases the likelihood of successfully penetrating the victim’s systems and causing the maximum possible damage.
There are also separate services for customizing malicious files, which, for example, will allow you to bypass VirusTotal checks (VirusTotal bypass). This means that the file will not be detected as malicious by antivirus programs.
An important change in the shadow markets has been the active introduction of trial periods or product demos. Providing a free trial period lowers the threshold for potential buyers to enter. Without the need for immediate payment, they can evaluate the product without much risk, which is especially attractive in the crowded shadow market with many offers competing for the customer’s attention. Such changes not only allow to expand the customer base, but also stimulate the underground to focus on the service model.
Cybercrime is constantly evolving, new technologies are being introduced to improve fraudulent schemes. It became known that the operators of one of the malicious software in April 2024 launched their own coin (digital asset, cryptocurrency) and NFT (non-fungible token — a digital asset that can be represented in the form of a photo, video, etc.) based on the TON (The Open Network) blockchain.
Such a move could be a new way of earning money for criminals. In turn, it allows criminals to build a unique ecosystem around the coin. For example, it may appear to pay for a product or receive exclusive offers that are not available to ordinary users.
One of the shadow forums has introduced a new feature: a log store right on the VPO control panel. Logs are data sets that attackers obtain after hacking, such as accounts of banking applications, social networks, crypto wallets, and VPN configurations of other services. The information is obtained using a stealer (malicious software for stealing data).
For criminals, logs are not just a data set, but a source of further monetization. They can contain quite valuable information, such as access to the site’s admin panel, credentials for large social network accounts, or payment card details. In addition, logs can contain confidential data that is useful for attacks on organizations, such as VPN configurations, repository access keys, SSH keys, and information about 2FA (Two-factor authentication).
You can buy already stolen logs on shadow resources. Often, old, already used data that has lost its relevance is sold (passwords have been changed, sessions have expired, money has been withdrawn from crypto wallets). Perhaps this has influenced the emergence of a new element in the shadow environment – a magazine store right in the control panel. The innovation allows you to sell already used magazines (but not completely used up) or to cybercriminals who have not come close. By creating a submarket of stealer magazines, attackers have expanded their influence, which ultimately boils down to one thing: more customers, more financial profit, but also more potential victims.
The spread of the service model reduces the level of knowledge required for criminals and this approach explains why the number of cyberattacks is not decreasing. Thus, the number of incidents in 2024 is 16% higher than the year before.
We assume that in the near future new types of services will appear that allow to carry out cyberattacks literally “in one click”. Perhaps such solutions will be so automated thanks to the development of artificial intelligence that the attacker will only need to select a target and click “Launch attack”. The solution will open the door for those who previously could not participate in criminal activity due to lack of knowledge or skills.
In the future, shadow services may be able to reach a new level of ecosystem, giving attackers a chance to receive all the necessary tools and services within a single provider. Such services will integrate payment, log stores, access to exploits and installation of additional modules for malware in a single system.
Another possible option may be the development of EaaS (Exploit-as-a-Service). As is known, the cost of 0-day vulnerabilities can reach millions of dollars, but not all attackers have such funds. The EaaS model will allow cybercriminals to rent exploits instead of selling them to a single person. This, in turn, will lead to an increase in the number of attackers capable of exploiting vulnerabilities, as well as to the enrichment of exploit developers.
The use of exploit kits by attackers (exploit kits – a software package used by cybercriminals to automate the exploitation of vulnerabilities in websites and web applications) by attackers can already be called a harbinger of the service. One example is RIG EK. According to PRODAFT, the exploit kit reached a high level of use in 2022 (a third of successful attacks), with users making about 2,000 hacking attempts with it every day.
The first thing that comes to mind when mentioning Access-as-a-Service is the sale of access to the corporate infrastructure of companies. However, this service is developing, and the sale of accounts is appearing. Since December 2023, many advertisements have been posted on shadow resources for the sale of accounts to one of the most popular dark web sites.
For general understanding: to become a forum member, applicants must demonstrate technical skills, as well as have a reputation in the cybercriminal community. We assume that the market for selling accounts from popular shadow sites will continue to develop, which may lead to an increase in the number of attackers, and, accordingly, to an increase in the number of cyber attacks. After all, now the entrance to closed forums is open to less skilled hackers.
Meet Nighthawk and Brute Ratel C4
During the first half of 2024, we often heard about the use of the Sliver framework by attackers. This is an open source pentest framework that allows you to create and manage implants that can perform various actions on infected systems: privilege escalation, credential theft, movement within the perimeter. And according to the results of the third quarter, Sliver became one of the trends among cybercriminals.
Now the situation is as follows: on shadow resources, people began to be actively interested in Nighthawk. Although at the time of writing the study it is unknown whether there were any leaks of this tool, the interest of attackers and the willingness to pay a lot of money (for example, one of the ads offered $ 50,000) indicate that we will soon see Nighthawk in the hands of highly skilled APT groups or less experienced hackers (after the leak).
Nighthawk is a commercially distributed remote access trojan (RAT) created by MDSec.
Cybercriminals are interested in Brute Ratel C4. The tool has similar capabilities to CobaltStrike and was designed specifically to bypass threat detection systems such as EDR systems and antiviruses. But unlike Nighthawk, Brute Ratel C4 has become widely available (version 1.4.5 was publicly available on shadow forums in July 2024). It is worth noting that this tool is already being used in cyberattacks.
For example, in July 2024, the Knownsec 404 Advanced Threat Intelligence team discovered a potential attack on Bhutan organized by the Patchwork group (APT-C-09), which used Brute Ratel C4.
Throughout 2024, in our quarterly analytics, we noted the growing interest of attackers in artificial intelligence and tools based on it, which will not subside for a number of reasons: AI can automate many tasks, such as scanning for vulnerabilities, creating phishing emails, or analyzing data. In addition, developers of malware are actively implementing optical character recognition (OCR) technology, which we noted in the second quarter of 2024. And in September of the same year, McAfee researchers discovered a new type of malware SpyAgent for Android, which uses OCR to steal mnemonic key phrases (providing access to a crypto wallet as a backup key) from images on the device.
It is noteworthy that malware using machine learning algorithms was found on shady resources. According to the seller, the malware is capable of self-propagating through the infected device’s network and can copy itself to any connected external media.
But we should not forget about automated legal tools. There is a tool for automating penetration testing from Ridge Security – RidgeBot. For example, the product itself identifies and exploits vulnerabilities in systems. However, it is worth noting that RidgeBot was posted on shady resources (costing $ 1,000). The leak makes the tool available to attackers, which can lead to serious consequences. Using an automated tool, cybercriminals are able to steal confidential data from companies and subsequently demand a ransom for their return. In addition, attackers can cause serious damage to systems, which will lead to millions of dollars in recovery costs.
Perhaps the leak of such products will create competition in the cybercrime market, which will encourage IDP developers to increasingly implement AI modules in tools to increase damage from attacks and attract new customers (not always professionals).
On shady resources, attackers are actively interested in and selling EV certificates. To obtain EV Code Signing, publishers and software developers undergo strict verification and certification. The certification authority (CA — certificate authority) requires data confirming the authenticity of the company, for example, the fact of the physical and legal existence of the organization.
And now attackers are adopting this method, because the EV certificate not only allows you to bypass Windows protection tools (for example, Microsoft SmartScreen), but also reduces the chance of detection by antiviruses. We assume that such services will be in great demand among cybercriminals, which will mark an increase in the number of offers on shady resources. It is worth noting that in August 2024, Intrinsec released a report on the developing market for using certificates with extended validation.
EV Code Signing (Extended Validation Code Signing) is a digital signature that protects and confirms the authenticity of software.
Demand creates supply and, of course, can lead to the emergence of fraudulent schemes. In the shadow economy, some criminals see a good opportunity to deceive by selling new services that are in demand. Instead of actually providing the promised product, they deceive customers.
In legal business, there is such a thing as an auditor or a mystery shopper – a person who checks the quality of service, posing as an ordinary client. Mystery shoppers assess the level of service or the quality of products. Most likely, this method of verification will not bypass shadow resources, where sellers also fight for the attention of buyers. With the introduction of the role of a “shadow auditor”, competition between solution providers will increase significantly, which will lead to an increase in the quality of cybercriminal services.
It is noteworthy that the beginnings of such a trend are already present in the dark web. For example, one of the shadow forums introduced a live verification of sellers. The scheme works like this: the supplier puts forward his offer and must complete a test task to show the level of services offered. The auditor (a representative of a site with a good reputation) assesses the quality of the product by checking the test. If everything is done properly, the attacker is allowed to trade.
In recent years, shadow resources have evolved into a well-organized ecosystem with its own rules, control mechanisms, and even a certain level of self-regulation to prevent fraud among its participants. The dark web has become a platform where you can find any tools for cyberattacks, and thanks to the growth of the service model, attackers are no longer limited by their own technical knowledge. The emergence of tools, guides, and automated solutions has greatly simplified entry into this area, which complicates the fight against cybercriminals and the investigation of attacks.
It is especially indicative that shadow sellers have adopted marketing strategies from legitimate businesses: they use attractive landing pages, work with customer reviews, and improve the quality of service. This allows them to not only increase sales, but also retain customers by providing a wide range of services.
Trends indicate a growing focus on circumvention: cryptors and EV certificates are being actively used, and IDP developers are improving their tools to adapt to new changes in software. In addition, artificial intelligence is increasingly integrated into cybercrime, which allows for the automation of attacks and their effectiveness.
The market for shadow services is becoming more ecosystem-based. Some groups have already integrated magazine stores directly into IDP control panels, while others are creating their own cryptocurrencies that can be used for anonymous payments or receiving exclusive offers. It is likely that in the future more and more services will be combined into single platforms where attackers will be able to get all the necessary services within a single platform.
Cybercrime continues to evolve, adapting legal business models, technological innovations and marketing strategies. The initial cost of an attack can start at $20,000, but the potential profit if successful is many times greater than that investment. This creates a dangerous incentive for attackers, and the expansion of the service model only increases the number of cybercriminals who can carry out attacks without deep technical knowledge.
For organizations, this means that traditional cybersecurity methods are no longer sufficient. A comprehensive approach is needed that includes active monitoring of darknet resources, analysis of emerging threats, and the implementation of modern security tools such as XDR, SIEM, and behavioral traffic analysis (NTA). Given that cybercriminals are constantly improving their strategies, companies should focus not only on responding to attacks, but also on proactively identifying threats and minimizing possible consequences.
