Cybercrime markets thriving: Darkweb demand exceeds supply by three times

Positive Technologies experts analyzed over 10,000 hack-for-hire and malware-related postings on darkweb markets. Among the key findings:

  • Demand for malware creation is three times greater than the supply
  • The most expensive ready-to-use "package" was malware targeting ATMs
  • The trend of multiple threat actors using the same malware is likely to complicate attribution of future attacks.

The analysis included 25 darkweb sites, in Russian and English, with a total registered user base of approximately three million people. The researchers' interests included completeness of darkweb offerings (whether the advertised tools and services would be enough for a real attack) and the falling barrier to entry (cybercriminals are not requiring deep technical knowledge any longer, and any type of attack is now feasible given sufficient funding).

The researchers examined the costs of cybercrime services across the darkweb. They found, for example, that compromising a site and obtaining full control over a web application may cost a mere $150. A targeted attack on an organization, depending on difficulty, can cost more than $4,500. The most expensive software was malware for ATM logic attacks, with prices starting at $1,500.

The leading type of malware available was cryptominers (20% of the total), followed by hacking utilities (19%), botnet malware (14%), Remote Access Trojans (RATs) (12%), and ransomware (12%). The majority of malware demand (55%) was for creation and distribution.

Research found that current demand for malware creation exceeds the supply by three times, while demand for malware distribution is twice the supply. This mismatch of supply and demand has led to interest among criminals in new tools, which are becoming more readily available in the form of partner programs that include "malware as a service" and malware distribution-for-hire.

Most hack-for-hire requests from would-be buyers involve finding site vulnerabilities (36%) and obtaining email passwords (32%). From sellers, the most commonly-offered services are hacking social network accounts (33%) and email (33%). Analysts at Positive Technologies link these numbers to buyers' interest in reading correspondence. From a technical standpoint, such hacks are also the easiest for attackers to perform.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, said: "This research shows a burgeoning and evolving darkweb market for cybercrime. As a consequence, approaches to cyberincident investigations have to adapt accordingly. It is important to take these findings into account when analyzing the techniques and tactics used for any particular incident. To have a deep understanding of attacker toolkits, defenders have to study the trends and tools found on the darkweb before they show up on client systems. Perhaps darkweb intelligence will even involve enabling preventive action, as increasing purchases of certain types of illegal software or services can indicate pending attacks."