Q&A with Andrei Barysevich, director of advanced collection at threat intelligence firm Recorded Future
Q&A with Andrei Barysevich, director of advanced collection at threat intelligence firm Recorded Future

SC: How do the operators on the dark web use the services: for DDoS attacks, for ransomware attacks?

Barysevich: The DDoS operators represent a significant portion of illicit business offered to cybercrooks. Not that long ago, we researched hidden marketplaces and communities and identified at least 50 vendors offering DDoS-for-hire services. Although mostly used to attack legitimate companies and often hired by dishonest business people, it is not uncommon to use DDoS in turf wars among bad guys. Rivals commonly target marketplaces specializing in compromised payment information and underground forums. 

Ransomware as a service (RaaS) is the latest trend among vendors. First spotted at the end of last year, it quickly has become the de facto standard, no longer requiring actors making significant upfront payments, but rather providing malware free of charge and splitting future earnings. How much technical sophistication must one have to use these services? Criminals need very little knowledge to use these services. Almost anything can be bought, including spam campaigns, malware file cleaning and obfuscation, guaranteed installations by potential victims and cash out of dirty funds.

SC: What type of cybercriminal thrives on the dark web?

Barysevich: To our surprise, the most successful cybercriminals do not necessarily have a good education and fancy degrees, but rather, a systematic and persistent work ethic. Think regular folks with an unconventional way of thinking, willing to learn new skills and pivot quickly and efficiently utilizing obtained knowledge.

Very often, the information is hidden in plain sight and available to anyone. However, not everyone can recognize the value of it and use it efficiently. As an example, a compromised database of a random company is available for sale. Novice criminals might mine a list of associated emails, use it in the standard spamming campaign and discard it. More sophisticated crooks will research the company, its management and publicly available financial information. An email correspondence can be intercepted and examined to learn sensitive details about the business and its partners. Eventually, to maximize potential profits, gathered data would be used to develop an optimal attack vector, often involving a multi-stage approach.

SC: What sorts of criminal activity yields the biggest gains?

Barysevich: Any cybercriminal activity can be very lucrative, as long as a bad actor is thinking outside of the box. 

As a rule of thumb, financial crime was always one of the most profitable underground venues. Interception of banking login credentials and subsequent funds cash out via unauthorized transfers.

Despite extensive media coverage, targeted spear-phishing campaigns of businesses luring decision-makers into making wire transfers, often in excess of hundreds of thousands or millions of dollars, is still an ongoing problem.

Criminals are also shifting from encrypting business networks with ransomware to more lucrative methods of extortion, often directly engaging the victim and demanding significantly larger payoffs for stolen data.

SC: What can be done to stop the bad operators?

Barysevich: Let's be honest: The internet isn't going anywhere. Our society has never been more demanding and mobile. We rely on instant accessibility to services, commerce and healthcare. With convenience comes the risk, and bad players recognized it first. The underground economy is here to stay and will only grow going forward. As law enforcement might catch up with Russian cybercriminals and put a dent into their operations, new players from South America and Asia are entering the scene.

Every organization is different and we should honestly admit that it is impossible to stop every bad actor. The primary goal should not be preventing every single attack, but rather making it as challenging as possible for attackers to succeed. A contingency plan should be in place, in cases where a breach has occurred, effectively minimizing the damage.

SC: Can dark web operators be caught and prosecuted?

Barysevich: Even the most notorious cybercrooks are arrested sooner or later. I would say it's an inevitable cycle of life. As they begin earning big money, they start losing focus and become careless. On the other hand, those that do not make money consistently and rely solely on criminal endeavors to make a living will eventually engage in riskier operations and will ultimately get apprehended. Police only need to get lucky once; bad actors have to be lucky every time. And the arrest of Yevgeniy Nikulin in the Czech Republic – an alleged hacker of LinkedIn, Dropbox and MySpace – reinforces my point.