The business of malware

If you think malware is the product of a bunch of hackers hoping to cause some disruption or make a fast buck, think again. These days, malware is a mature and growing business a serious criminal enterprise involving networks of developers and criminal organisations. Right now, there are teams working on new malware kits and exploits with the aim of selling them on to groups and organisations, so that they can use them for their own criminal or political ends. This is a global industry worth millions or even billions of dollars, and one that touches more and more of us every year.

How, then, do the authors and users of malware make their money? Well, on the one hand you have the various fraudulent or otherwise criminal ways that cybercriminals extract money, either from ordinary members of the public or from businesses and public services. On the other hand, you have a maturing underground service industry that's providing products and cyber-capabilities to other criminals, gangs and even nation states. Between them, they've created a powerful malware ecosystem; one built to exploit every opportunity in an increasingly connected, always-online world.

Making money from Malware

From ransomware to extortion to advertising rackets and straight-up theft, there's no shortage of ways that cybercriminals can put malware to use.

  • Identity theft and financial crime: While a growing amount of bank account and credit card theft involves phishing attacks or social engineering, Trojans, keyloggers and other forms of spyware still played a part in the 5.4billion lost in the UK through identity theft every year. Cybercriminals use these malware tools to recover log-in credentials and either steal money directly from your bank account or order goods and services for themselves. They may also use your identity to set-up new loans or credit agreements in your name.
  • Partner networks and shopping fraud: Here browser hijackers and other forms of adware continuously direct or redirect you to sites that sell goods or services. In some cases these are actual stores selling software, services or actual goods. In other cases, they're offering counterfeit goods or incredible but non-existent bargains in the hope of stealing your payment card information along the way. Either those behind the stores distribute the malware, or rely on the services of a third-party distributor who gets paid for the traffic they bring in.
  • Click fraud: With click fraud the aim isn't so much to defraud affected users as to defraud online media and advertising networks. Malware is used to create a botnet' of infected PCs, mobile devices or increasingly simpler connected devices such as routers, IP cameras and Internet of Things (IoT) devices. The bots then click' on online adverts, boosting revenue for the blog or website that hosts them. New variants do the same thing for Twitch channels, with the botnets watching streams to boost a channel's cashflow or chatting in a channel's chat section.
  • Fake security: In this variant of the classic shoeshine scam, malware or an infected website informs end-users they have malware, then charges for a tool to get rid of it. As you might guess, the tool actually includes more malware, which may be used to infect other systems on the network or for identity theft.
  • Extortion: Now we're onto big-time criminal activity. In some cases, criminals may create or rent a botnet to unleash a coordinated Distributed Denial of Service (DDoS) attack on a company, threatening disruption to their business unless a fee is paid. In other cases they may use malware to infiltrate a network and steal corporate or personal data, threatening the business with exposure unless it pays up.
  • Ransomware: Arguably the biggest growth area in modern malware. Ransomware infiltrates a system and then blocks access to the system and/or encrypts vital data. To get their systems and data back again, the company or user has to pay a fee, which may be anywhere between $100 to $400 (75 to 300) for an individual user to several million for a large corporation. A 2015 study by TrustWave claimed that cybercriminals using ransomware could earn up to $90,000 (67,000) a month, while 2017 research from Google suggests that global profits from ransomware had reached $2.5million (1.86million) per month over the last two years. Hit the right target, and the payout could be even bigger. In June 2017 Nayana, the South Korean webhost, agreed to pay a $1million (750,000) ransom to unlock its computers.

Malware as a Service

The criminals that put malware to direct use are supported by a fast-growing industry of hackers and developers that provide malware services, either through Darknet forums and marketplaces or through underground websites that, with surprising polish, offer malware and associated services in the same way that a legitimate business might sell webhosting or cloud storage. Some even offer after-sales service, helpdesks and customer support.

Beyond criminals, there's even evidence that some nations or their security services pay for malware or hackers' services, either for espionage or as a means of disrupting other nations. For instance, it's widely believed that the North Korean and Russian governments have sponsored malware used to attack businesses or utilities in South Korea and the Ukraine.

These services might include:

  • Ransomware kits: Want to get started in the ransomware racket, but don't have the technical skills to build your own? You can buy an off-the-shelf kit with an easy-to-use dashboard and start your attacks straight away. Kits might cost anywhere between $175 and $6,000 (130 to 4500), but that's a small investment if you can achieve a $90,000 (67,000) monthly turnover. Alternatively, the Ransomware creator may simply want a percentage of the ransom, using affiliate schemes like those used by legitimate Web businesses. It's estimated that some schemes, like those based on the Cerber ransomware family, have netted the original developers an average of $1million (750,000) p.a.
  • Malware Kits and Exploitkits: Malware developers make a lot of money developing toolkits for criminal use. Malware Kits come with the files and instructions needed to package malware in documents or emails. Exploit Kits are designed to sit on a compromised site or a webserver, then scan any systems that connect to that server for any vulnerabilities that can be used to infect that system with malware. Some kits are available for purchase, while others may be rented, with upgrades and support thrown in, for hundreds of dollars per month.
  • Botnet herding: Here, malware is used to create, manage and control multiple botnets, which the malware service provider can then sell or lease to interested parties. Many will be used for targeted DDoS attacks, brute-force hacking attempts, spam distribution or click fraud and Twitch fraud. Renting out a botnet could bring in anywhere between $200 (150) and $2000 (1500) a month, depending on the number and capabilities of the bots. At one point Georg Avanesov, mastermind of the Bredolab botnet, was earning over 100,000 Euros (at the time 80,000) a month.

Malware is a big business with opportunities for massive profits, so it's no wonder that the developers, hackers and criminals involved put so much effort into targeting businesses and individuals and the applications that they use. It's also why it's so important that organisations protect themselves with the right network and endpoint security strategy; one that protects their systems against infection and enables them to recover quickly from attacks. After all, when malware is a growing industry, you don't want your business to fuel its growth.

Find out how to keep your business safe from hackers like The Wolf...


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.