Cybercrime is world’s third-largest economy thanks to booming black market

Ransomware-as-a-service and malware sold on the dark web are still what’s driving the growth of cybercrime, says Security Research Evangelist Roya Gordon at Nozomi Networks Labs.

Cybercrime has grown to become the world’s third-largest economy after the US and China, according to the World Economic Forum (WEF). Based on data from Cybersecurity Ventures, it is projected to cost the world $8 trillion in 2023 and $10.5 trillion by 2025.

Anyone can buy access to networks and ransomware online, which is one of the main drivers of this growth, Gordon told Cybernews in an interview. Threat actors do not need technical skills to launch sophisticated cyber or ransomware attacks, she said.

“There are more players in the game because all of these tools are readily available, so you don't really need to do anything,” Gordon said.

Cybercriminals are also ready to exploit security gaps resulting from the rapid adoption of the Internet of Things (IoT) – or systems of connected devices – across healthcare, education, and business sectors.

In addition to financially motivated criminals and nation-state actors that target critical infrastructure for material gain, Russia’s war in Ukraine has also seen the rise of politically motivated hacktivists, further contributing to the growing economy of cybercrime.

Ransom boom

Ransom demands are soaring, and cybercriminals have grown greedier after a high-profile attack against Colonial Pipeline, which cost the company $4.4 million in extortion in 2021.

“When they're targeting organizations that are paying it within days or without even thinking, that's encouraging other threat actors to say – we need to up our game,” Gordon said.

The average ransom payment has gone up to $800,000, according to last year’s Sophos research. The latest report from Nozomi warned that cyber insurance could be partly to blame for that.

“Cybercriminals are conducting reconnaissance on cyber insurance claims policies and tailoring their ransom requests to match the amount of a cyber insurance payout,” Nozomi’s report read.

Rather than relying on insurers, companies should invest in cyber prevention, protections, and remediation as a first line of defense, it said. Many insurers are starting to refuse to pay ransoms anyway.

While some victims believe making an extortion payment is still the easiest way out of the ransom attack, others are following suit. As a result, revenue from ransomware dropped by 40% in 2022 based on some metrics, according to a report by Chainalysis.

Colonial Pipeline heeded ransom demands in 2021. Image by Shutterstock

IoT-targeted attacks

According to the WEF State of the Connected World report, some 73% of experts globally lack confidence that connected devices are properly secure. They are right to be worried, Gordon said.

“I'm right along with them. These devices really aren't secure,” she said, adding that cyber security is often an “afterthought” to many organizations.

“They're just thinking of efficiency. How is this going to reduce manual labor, increase profits, revenue? They're not thinking about security,” Gordon said.

This is reflected in the statistics, which show that both private and governmental organizations, as well as individual users, are increasingly susceptible to cyberattacks due to the rapid adoption of the IoT.

According to WEF, 1.5 billion IoT-targeted attacks were recorded in the first half of 2021, a 15.1% increase from the previous year. “If threat actors are doing this, it's because they're successfully exploiting these IoT devices,” Gordon said.

Nozomi’s “honeypots” – devices it purposefully configured as IoT devices – showed that malicious botnets are loaded with default credentials such as usernames and passwords because organizations don’t change them.

“A lot of the firmware isn't updated. It's kind of like people just buy it, deploy it, and then kind of forget about it unless an attack happens,” Gordon said. “Threat actors know this, so they're preloading the botnets with basic credentials like admin:1234. That's a big concern.”

Nozomi’s research also showed that China was the most common attack source location, followed by the US and South Korea. It does not mean that threat actors necessarily come from these places – only that this is where most compromised devices are located.

“It could mean that the threat actor is leveraging a compromised device that's in that country,” Gordon said. “But also some of these places don't have really good policies on security. So those devices may just be more vulnerable to being compromised than in other places.”

When it comes to IoT security, organizations “should really be more on top of it,” she said, warning that botnet attacks are “definitely” going to intensify.

“Just change the password and make sure that you're patching,” Gordon said.

Attacks on critical infrastructure

Taking time to fix a problem or implement an upgrade can be more challenging in operation technology environments based on real-time data. These are most often found in critical infrastructure sensitive to disruptions.

“When you're dealing with a petrochemical facility or the power grid, or a pipeline, you just don't want to disrupt those types of environments,” Gordon said. It means organizations involved in critical infrastructure schedule upgrades – and can be vulnerable in the meantime.

“It's like a catch-22. You want to upgrade as much as possible, but you can't because you'll cause disruptions in your environment,” Gordon said.

She added: “There needs to be a program in place to say – we know there are 100 patches you have to do, but these are the most critical ones. These are the ones you need to get to right away.”

Healthcare facilities have become “a prime target” for cybercriminals due to the sensitive nature of their data, according to Nozomi’s report, which poses a unique threat. “In healthcare, an attack could mean loss of life,” Gordon noted.

There has also been an increase in attacks against the transportation sector, with railways particularly enticing to different sets of threat actors, including cybercriminals, but also nation states and hacktivists.

“It's a little bit scary because now you have a lot of threat groups to worry about instead of just one that's targeting critical infrastructure,” Gordon said.

Russia’s war in Ukraine has seen the rise of politically-motivated attacks on critical infrastructure, including the use of highly destructive wiper malware. Its sole goal is to destroy sensitive data and cause damage.

“The only thing that's going to save you is strong current backups,” Gordon said.