A few years ago, I helped respond to a ransomware attack on a hospital. It wasn’t the intended target of the responsible hobbyist hackers, but when they attempted to undo the damage they had caused, their decryption tool didn’t work – instead of unlocking the data, it destroyed. Hobbyists can wreak as much havoc as professional hackers, whether by accident or on purpose.
Hacking used to be a hobby, but now it’s a $6 billion industry. A growing part of this business sells cybercrime suites as a service (CaaS) that offer hacking tools, ransomware, stolen credentials, and even insider information. Like any ecosystem, it’s not just the hackers who make a profit, but also the teams that create and update these tools and services.
Just as legitimate software developers succeed by creating user-friendly programs and offering regular updates and user support, so do the bad guys. This professionalization of hacking and the dark web has started a new cycle, allowing a new wave of amateur hackers who can disrupt businesses without deep technical knowledge. In the same way that word processors supported by hobby writers and blogging software gave citizen journalists an easy way to publish, these tools make illegal hacking simple, cheap, and accessible.
Suppose the hack is available to anyone to “try”. In this case, every company is at risk of being attacked, whether it’s someone trying to make a little money with ransomware or even being a testing ground for a new generation of “script kiddies”, playing with their swollen new professional. hacking kits and disregarding the consequences.
The Rise of Hackers.Inc
CaaS is in many ways identical to the legitimate tech industry. It operates across multiple verticals, offers both B2B and B2C offerings, and has dedicated product teams that will help devastate industries on demand.
This new industry has become a software-as-a-service model and has learned from its legitimate predecessors. One example is Darkside, which promises guaranteed turnaround times, offers real-time chat support, produces press releases, and even has a corporate social responsibility statement promising not to attack specific locations. In 2021 he released a declaration after being accused of shutting down a vital fuel pipeline in the US with ransomware – it sounded like a press release from any reputable company. Darkside and its competitors value brand reputation as much as profit.
Who are amateur hackers?
Amateur pirates belong to different groups. Some are already engaged in criminal activities. Many criminal gangs are undergoing their own digital transformation, moving from dangerous hands-on activities to ones that can be carried out at arm’s length. This virtualization has also allowed criminals to broaden their targets globally, keeping themselves out of foreign jurisdictions and safe from any extradition agreements. CaaS means that it is possible to make this change without technical knowledge.
Another group are script kiddies, a term used by the cybersecurity community to make fun of hobbyist hackers who don’t write their own programs. Often assumed to be teenagers, they can be any age, but what they have in common is their use of kits, scripts, and a disregard for the consequences of their actions.
The professionalization of these services means that amateur hackers can potentially launch attacks with the same level of sophistication as some APT (Advanced Persistent Threat) groups. This is a major problem for security teams because they don’t know how to assess the threat level of an attack. Is this a random attack from someone testing a kit in their room or part of an ongoing sophisticated campaign using multiple zero-day vulnerabilities?
Since they often don’t fully understand the consequences of their actions, script kiddies can be incredibly dangerous, testing tools on anything from small businesses to critical national infrastructure. However, their naivety and curiosity can also make them easier to catch.
Now everyone’s a target
This new democratization of hacking tools means that no business is immune. The high cost of hacking – sophisticated tools, specialist knowledge and the risk of being caught meant that only high-value targets were likely to fall victim.
Reduced costs and lower barriers to entry mean that almost anyone with access to the dark web can deploy dangerous malware without these costs. Earlier this year, Kaspersky discovered a trojan designed to steal credentials that only cost $40. Deploying this type of threat required a high level of technical sophistication. No more.
With every business now a target, thinking you’re too small to matter to hackers is not an option.