Lucrative Malware as a Service Catches Fire for Malicious Hackers

During the last several years, software as a service (SaaS) has become the norm — and that goes for malware software, too. In fact, bad actors increasingly are using malware as a service.

When examined from an economic perspective, this trend makes perfect sense. Being able to lease malware gives wannabe malicious hackers a chance to make some money, even if they have almost no computer skills. They simply lease the malware from a cloud service, customize it, then set out to infect the world.

On the flip side, criminals with computer skills have plenty of incentive to offer their wares as a service.

The most obvious incentive is that malware authors can potentially make more money through leasing their services to others rather than trying to spread an infection themselves. In most cases, malware authors simply take a cut from every ransom paid to someone who leases their service.

Leasing malware to others may also help to reduce the author’s risk of getting caught. Say a malware-as-a-service author poses as a legitimate security consultant and markets his or her wares as cybersecurity testing tools. That way, if authorities ever question the malware author, he or she has plausible deniability. After all, many vendors create security tools, and it’s not their fault if a customer uses a tool maliciously.

So if a cybercriminal has the computer skills to create an entire malware-as-a-service platform, why use those skills to develop malware? After all, there are plenty of other ways for a skilled software developer to make money.

Malware Pays Off

While some malware authors just want to watch the world burn, for most, it is a way to make money.  According to PayScale, the average software developer makes $71,150 per year.

Ransomware has the potential to be even more profitable. Consider, for example, that a 2019 ransomware attack against Virtual Care Providers demanded $14 million in bitcoin.. While this particular company did not pay the ransom, experts say the same Ryuk ransomware used in that attack earned about $3.7 million in the last five months of 2018.

Of course, if cybercriminals offer their ransomware as a service, then the original author is not collecting the full ransom. The customer leasing the ransomware presumably gets the lion’s share, while the author earns a small percentage as a commission.

So with that in mind, let’s pretend that one malware-as-a-service subscriber was responsible for collecting all $3.7 million in RYUK ransoms. Let’s also pretend that the person responsible for infecting all those systems had to pay a 10% commission to the ransomware author. That would mean the ransomware author would earn about $370,000 over five months.

This is far more money than the author could ever hope to make working a corporate job. In fact, $370,000 spread evenly over five months works out to $74,000 per month. That’s more than the entire average annual salary of a corporate software developer.

Of course, if someone has the skills necessary to build an entire malware-as-a-service platform, then that person is more than just a software developer. He or she also has a considerable amount of security knowledge. Even so, the person could probably make more money creating malware than working as a white hat security consultant.

Bug Bounties

In recent years, it has become fairly common for large tech companies to offer bug bounties. In other words, companies such as Microsoft and Facebook offer to pay hackers who can find security holes in their software. This gives the companies a chance to patch the holes before bad guys exploit them.

With that in mind, imagine that a gray hat hacker found a serious security flaw in a major online platform. While the tech company whose software is affected would likely be willing to pay for information about the vulnerability, the same information would probably be worth a lot more if sold to hackers on the black market.

Unfortunately, I don’t see the malware-as-a-service trend slowing down any time soon. Malware is just too financially rewarding for both the malware author and the wannabe hacker who subscribes to the service. The only good news is that companies are getting better at preventing infections since ransomware has become so prevalent.

Brien Posey is the vice president of research and development for Relevant Technologies. He writes technical content for a variety of publications and websites.