The old hacker stereotype—the antisocial lone wolf with coding skills—has been eclipsed by something far stranger: the cybercrime enterprise.  This mutant business model has grown exponentially, with annual cybercrime revenues reaching $1.5 trillion, according to a 2018 study by endpoint security provider Bromium.

The sophistication of cybercrime operations underpins this scale of damage.  The only explanation is that profit motive is fueling an engine that has driven the creation of effective organizations.  But these organizations are curiously subject to many of the vicissitudes of normal business. 

Perhaps the oddest outcome of this state of affairs is watching global cybercrime syndicates suffer under conventional business problems like PR difficulties.

Lines of business

What we think of as criminal activity, the cybercrime enterprise thinks of as lines of business.  Anything that does not drive revenue—hacking for the sake of destruction or personal gratification of some kind—doesn’t figure in here. 

The business of for-profit cybercrime can be seen as 6 main lines:

• Cyber theft—the act of stealing money or other assets (like user data and intellectual property) from organizations and individuals
• Illicit data trade—data that is stolen (think credit card info and other personally identifiable information) is bought and sold and then used to perpetuate further theft
• Web-enabled blackmarket— web-enabled trade in illegal goods like drugs and wildlife
• Crime business tools and services—the cybercrime shadow of normal business services, like jobs boards
• Crimeware/cybercrime-as-a-service (CaaS)—any of the variety of tools that are used to enable the other activities, think exploit kits
• Ransomware/ransomware-as-a-service (RaaS)—encrypting data and holding it for ransom

How are we to understand services like hacker job boards and stolen identity marketplaces?  They are like the evil twin of normal services.  They serve a business purpose, and if not for the nefarious end goal, they could be perfectly legitimate.  They are like a promising student who would succeed if they applied the same effort to studying as they do to cheating

But the reality is, they do serve and enable harmful ends.  From the private shock of losing account access to the collective burden of crippled infrastructure, the toll is high. Numbers across all these lines of business are hard to nail down, but Sophos’s 2020 State of Ransomware study found that “the average cost to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is US$732,520 for organizations that don’t pay the ransom, rising to US$1,448,458 for organizations that do pay.”

HR and PR

Even normal IT employees suffer a high degree of burnout and mental health challenges—imagine all that with the addition of knowing your work is devoted to adding misery to the world. 

Some of that can be attributed to simple greed: IT workers in the crime business do stand to make more than the others.  Also, some people just lack a conscience.  But here we are talking about sprawling organizations with communities of hundreds of employees.  The kind of results achieved mean a high degree of persistent, united effort from many people.

One prominent thing that came out of the Ukraine invasion-inspired Conti leaks is just how typical the lives and work is for modern hackers.  Security researcher Daniel Cuthbert echoes this sentiment, remarking that “What came out of this leak, to me at least, was the mundane aspects of office life. Romance, time off, interacting with colleagues, distrust, etc.”

Just normal people, putting in the hours to pay the bills.

The ability to blank out the nature of the work has to be buttressed with some kind of philosophy—some countervailing meaning.  Something like, it’s the downtrodden Slavic nations struggling against the greedy American-led West.  (This is also the reason for the stated, but loosely implemented, commitment by many ransomware groups to not attack organizations like hospitals.)

At the very least, the rule is: we don’t attack our own. 

And so we can see clearly the dramatic effect the breakdown in that justification had in the collapse of Conti.  By supporting the devastating attack on their fellow Ukrainians, the contract was broken.  It was a colossal PR misstep.  It resulted in a grievous blow to Conti—to their brand, as many have described it. 

Many analysts (myself included) believed that Conti would weather the blow diminished but still operational.  We underestimated the effects.  The model we used was not tuned quite right. 

In normal business, such a gaffe would mean firing the PR firm, replacing the CMO, perhaps an aggressive rebranding and damage control. Not so in Conti’s case. The blow to the illusion of the work being just was existential.  The cognitive dissonance just became too much.  Conti appears to be no more.

Cybercrime enterprise has embraced the utility of PR.  It has become common practice to issue press releases regarding prominent hackings.  The promotion of the Costa Rica attack by Conti was a bid, though ultimately unsuccessful, to remain relevant.  For cybercrime, the image is important as a way to both attract workers and menace victims.

Another way ransomware gangs have figured out to use the media is in threatening to release stolen information.

The big picture

Like conventional organized crime, there is a certain interface between cybercrime groups and corrupt or unethical government elements.  In cybercrime enterprise, the distributed flexible power of the web has meant the growing interplay between hacking and nation states.  It’s virtually impossible to completely disentangle them.  Cyberspace has become a key realm of activity for all, including nations in their jockeying for power and status.

Much of enterprise crime thrives with implicit or explicit government support and may in fact be espionage and sabotage, harnessed to a business model.  Where is the line between cyberwarfare and cybercrime? 

It’s tough to say.  It’s a strange business.