During the last several years, software as a service (SaaS) has become the norm--and that goes for malware software, too. In fact, malware is increasingly being made available to bad actors on an as-a-service basis.
When examined from an economic perspective, this trend makes perfect sense. Being able to lease malware gives wannabe bad actors a chance to make some money, even if they have almost no computer skills. They simply lease the malware from a cloud-based service, add a few basic customizations, and then set out to infect the world.
On the other side of the coin, criminals who do have computer skills have plenty of incentive to offer their wares as a service.
The most obvious incentive is that malware authors can potentially make more money through leasing their services to others rather than trying to spread an infection themselves. In most cases, malware authors simply take a cut from every ransom that is paid to someone who leases their service.
Leasing malware to others may also help to reduce the author’s risk of getting caught. Say a malware-as-a-service author poses as a legitimate security consultant and markets his or her wares as cyber security testing tools. That way, if the malware author is ever questioned by the authorities, he or she can claim plausible deniability. After all, lots of vendors create security tools, and it’s not the vendor’s fault if a customer uses a tool for malicious purposes.
So, if a cyber criminal has the computer skills to create an entire malware as a service platform, why use those skills to develop malware? After all, there are plenty of other ways for a skilled software developer to make money.
While I’m sure that some malware authors just want to watch the world burn, for most, malware is a way to make money. According to PayScale, the average software developer’s salary is about $71,150.
Ransomware has the potential to be even more profitable. Consider, for example, that a 2019 ransomware attack against Virtual Care Providers demanded $14 million in Bitcoin. While this particular company did not pay the ransom, the same Ryuk ransomware used in that attack was estimated to have earned about $3.7 million dollars in the last five months of 2018.
Of course, if cyber criminals are offering their ransomware as a service, then the ransomware’s original author is not collecting the full ransom. The customer who is leasing the ransomware presumably gets the lion’s share of the ransomware, with the author earning a small percentage as a commission.
So with that in mind, let’s pretend that one malware-as-a-service subscriber was responsible for collecting all $3.7 million in RYUK ransoms. I have no way of knowing who was actually involved, or how much each person earned, but let’s just go with this as an example. Let’s also pretend that the person who was responsible for infecting all those systems had to pay a 10% commission to the ransomware author. That would mean that the ransomware author would earn about $370,000 over a five month period.
This is far more money than the author could ever hope to make working a corporate job. In fact, $370,000 spread evenly over a period of five months works out to $74,000 per month. That’s more than the entire average annual salary of a corporate software developer.
Of course, if someone has the skills necessary to build an entire malware as a service platform, then that person is more than just a software developer. He or she also has a considerable amount of security knowledge. Even so, the person could probably make more money creating malware than working as a white hat security consultant.
In recent years, it has become a fairly common practice for large tech companies to offer bug bounties. In other words, companies like Microsoft and Facebook offer to pay hackers who can find security holes in their software. This gives the companies a chance to patch the holes before they can be exploited.
With that in mind, imagine that a gray hat hacker found a serious security flaw in a major online platform. While the tech company whose software is affected would likely be willing to pay for information about the vulnerability, the same information would probably be worth a lot more if sold to hackers on the black market.
Unfortunately, I don’t see the malware-as-a-service trend slowing down any time soon. Malware is just too financially rewarding for both the malware author and for the wannabe hacker who subscribes to the service. The only good news is that ransomware has received so much attention in recent years that companies are getting a lot better at preventing infections.