The business of malware

Malware isn’t just bad software but the focus of a growing criminal industry. Find out how it works, and how it’s making millions

If you think malware is the product of a bunch of hackers hoping to cause some disruption or make a fast buck, think again. These days, malware is a mature and growing business a serious criminal enterprise involving networks of developers and criminal organisations. Right now, there are teams working on new malware kits and exploits with the aim of selling them on to groups and organisations, so that they can use them for their own criminal or political ends. This is a global industry worth millions or even billions of dollars, and one that touches more and more of us every year.

Advertisement - Article continues below

How, then, do the authors and users of malware make their money? Well, on the one hand you have the various fraudulent or otherwise criminal ways that cybercriminals extract money, either from ordinary members of the public or from businesses and public services. On the other hand, you have a maturing underground service industry that's providing products and cyber-capabilities to other criminals, gangs and even nation states. Between them, they've created a powerful malware ecosystem; one built to exploit every opportunity in an increasingly connected, always-online world.

Making money from Malware

From ransomware to extortion to advertising rackets and straight-up theft, there's no shortage of ways that cybercriminals can put malware to use.

Advertisement - Article continues below
  • Identity theft and financial crime: While a growing amount of bank account and credit card theft involves phishing attacks or social engineering, Trojans, keyloggers and other forms of spyware still played a part in the 5.4billion lost in the UK through identity theft every year. Cybercriminals use these malware tools to recover log-in credentials and either steal money directly from your bank account or order goods and services for themselves. They may also use your identity to set-up new loans or credit agreements in your name.
Advertisement - Article continues below
  • Partner networks and shopping fraud: Here browser hijackers and other forms of adware continuously direct or redirect you to sites that sell goods or services. In some cases these are actual stores selling software, services or actual goods. In other cases, they're offering  counterfeit goods or incredible but non-existent bargains in the hope of stealing your payment card information along the way. Either those behind the stores distribute the malware, or rely on the services of a third-party distributor who gets paid for the traffic they bring in.
  • Click fraud: With click fraud the aim isn't so much to defraud affected users as to defraud online media and advertising networks. Malware is used to create a botnet' of infected PCs, mobile devices or increasingly simpler connected devices such as routers, IP cameras and Internet of Things (IoT) devices. The bots then click' on online adverts, boosting revenue for the blog or website that hosts them. New variants do the same thing for Twitch channels, with the botnets watching streams to boost a channel's cashflow or chatting in a channel's chat section.
Advertisement - Article continues below
  • Fake security: In this variant of the classic shoeshine scam, malware or an infected website informs end-users they have malware, then charges for a tool to get rid of it. As you might guess, the tool actually includes more malware, which may be used to infect other systems on the network or for identity theft.
Advertisement - Article continues below
  • Extortion: Now we're onto big-time criminal activity. In some cases, criminals may create or rent a botnet to unleash a coordinated Distributed Denial of Service (DDoS) attack on a company, threatening disruption to their business unless a fee is paid. In other cases they may use malware to infiltrate a network and steal corporate or personal data, threatening the business with exposure unless it pays up.
  • Ransomware: Arguably the biggest growth area in modern malware. Ransomware infiltrates a system and then blocks access to the system and/or encrypts vital data. To get their systems and data back again, the company or user has to pay a fee, which may be anywhere between $100 to $400 (75 to 300) for an individual user to several million for a large corporation. A 2015 study by TrustWave claimed that cybercriminals using ransomware could earn up to $90,000 (67,000) a month, while 2017 research from Google suggests that global profits from ransomware had reached $2.5million (1.86million) per month over the last two years. Hit the right target, and the payout could be even bigger. In June 2017 Nayana, the South Korean webhost, agreed to pay a $1million (750,000) ransom to unlock its computers.
Advertisement - Article continues below

Malware as a Service

The criminals that put malware to direct use are supported by a fast-growing industry of hackers and developers that provide malware services, either through Darknet forums and marketplaces or through underground websites that, with surprising polish, offer malware and associated services in the same way that a legitimate business might sell webhosting or cloud storage. Some even offer after-sales service, helpdesks and customer support.

Beyond criminals, there's even evidence that some nations or their security services pay for malware or hackers' services, either for espionage or as a means of disrupting other nations. For instance, it's widely believed that the North Korean and Russian governments have sponsored malware used to attack businesses or utilities in South Korea and the Ukraine.

Advertisement - Article continues below

These services might include:

  • Ransomware kits: Want to get started in the ransomware racket, but don't have the technical skills to build your own? You can buy an off-the-shelf kit with an easy-to-use dashboard and start your attacks straight away. Kits might cost anywhere between $175 and $6,000 (130 to 4500), but that's a small investment if you can achieve a $90,000 (67,000) monthly turnover. Alternatively, the Ransomware creator may simply want a percentage of the ransom, using affiliate schemes like those used by legitimate Web businesses. It's estimated that some schemes, like those based on the Cerber ransomware family, have netted the original developers an average of $1million (750,000) p.a.
Advertisement - Article continues below
  • Malware Kits and Exploitkits: Malware developers make a lot of money developing toolkits for criminal use. Malware Kits come with the files and instructions needed to package malware in documents or emails. Exploit Kits are designed to sit on a compromised site or a webserver, then scan any systems that connect to that server for any vulnerabilities that can be used to infect that system with malware. Some kits are available for purchase, while others may be rented, with upgrades and support thrown in, for hundreds of dollars per month.
  • Botnet herding: Here, malware is used to create, manage and control multiple botnets, which the malware service provider can then sell or lease to interested parties. Many will be used for targeted DDoS attacks, brute-force hacking attempts, spam distribution or click fraud and Twitch fraud. Renting out a botnet could bring in anywhere between $200 (150) and $2000 (1500) a month, depending on the number and capabilities of the bots. At one point Georg Avanesov, mastermind of the Bredolab botnet, was earning over 100,000 Euros (at the time 80,000) a month.
Advertisement - Article continues below

Malware is a big business with opportunities for massive profits, so it's no wonder that the developers, hackers and criminals involved put so much effort into targeting businesses and individuals and the applications that they use. It's also why it's so important that organisations protect themselves with the right network and endpoint security strategy; one that protects their systems against infection and enables them to recover quickly from attacks. After all, when malware is a growing industry, you don't want your business to fuel its growth.

Find out how to keep your business safe from hackers like The Wolf...

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


mergers and acquisitions

HP claims Xerox takeover would be "disastrous" during coronavirus crisis

26 Mar 2020

Evasive malware threats doubled in 2019

24 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020