Some years ago, I helped respond to a ransomware attack on a hospital. It wasn’t the intended target of the amateur hackers responsible, but when they tried to undo the damage they had caused, their decryption tool didn’t work — instead of unlocking the data, it trashed it. Amateurs can wreak as much havoc as professional hackers, whether by accident or design.
Hacking was once a hobby, but now it’s a $6tn industry. A growing part of that business is selling cybercrime-as-a-service (CaaS) suites that offer hacking tools, ransomware, stolen credentials and even insider information. Like any ecosystem, it’s not only the hackers who are turning a profit but the teams who are creating and updating these tools and services.
Just as legitimate software developers find success through creating user-friendly programs and offering regular updates and user support, so do the bad guys. This professionalization of hacking and the dark web has started a cycle anew, enabling a new wave of amateur hackers that can disrupt businesses without deep technical knowledge. In the same way that word processors supported amateur writers and blogging software gave citizen journalists an easy route to publication, these tools make illegal hacking simple, cheap and accessible.
Suppose hacking is available for anyone to “have a go.” In that case, every business is at risk of attack, whether that’s from anyone trying to make a bit of cash from ransomware or even being a testing ground for a new generation of “script kiddies,” playing with their new souped-up, professional hacking kits and disregarding the consequences.
The Rise of Hackers.Inc
CaaS is in many ways identical to the legitimate tech industry. It operates through multiple verticals, has both B2B and B2C offerings and has dedicated product teams who will help devastate industries on request.
This new industry has matured into a software-as-a-service model and has learned from legitimate predecessors. One example is Darkside, which promises guaranteed turnaround times, offers real-time chat support, produces press releases and even has a corporate social responsibility statement promising not to attack specific locations. In 2021, it issued a statement after it was blamed for shutting down a vital US fuel pipeline with ransomware – it looked like a press release from any reputable business. Darkside and its competitors value brand reputation just as highly as profits.
Who Are the Amateur Hackers?
Amateur hackers fall into different groups. Some are already engaged in criminal activity. Many criminal gangs are undergoing their own digital transformation, shifting from dangerous hands-on activities to those that can be done at arm’s length. This virtualization has also enabled criminals to expand their targets globally, keeping themselves out of foreign jurisdiction and safe from any extradition arrangements. CaaS means it’s possible to make this shift without a technical background.
Another group is the script kiddies, a term used by the cybersecurity community to mock amateur hackers that don’t write their own programs. Often assumed to be teens, they could be any age, but what they have in common is their use of kits, scripts and a disregard for the consequences of their actions.
The professionalization of these services means that amateur hackers can potentially launch attacks with the same level of sophistication as some APT (Advanced Persistent Threat) groups. This is a major issue for security teams as they don’t know how they should assess the threat level of an attack. Is it a random attack from someone testing a kit in their bedroom or part of a sophisticated ongoing campaign using multiple zero day vulnerabilities?
As they often don’t fully understand the consequences of their actions, script kiddies can be incredibly dangerous, testing tools on anything from small businesses to critical national infrastructure. However, their naivety and curiosity can also make them easier to catch.
Now Everyone Is a Target
This new democratization of hacking tools means that no business is safe. The high cost of hacking – sophisticated tools, specialist knowledge and the risk of being caught meant only high-value targets were likely to be victims.
The reduction of costs and the lowering of barriers to entry means almost anyone with access to the dark web can deploy dangerous malware without these costs. Earlier this year, Kaspersky uncovered a trojan designed to steal credentials that cost only $40. Deploying this type of threat required a high level of technical sophistication. Not anymore.
With every business now a target, thinking you’re too small to matter to hackers is not an option.