Cost of pwnership: how black market tools and services facilitate the operation of cybercriminal enterprises

Friday 5 October 09:30 - 10:00, Green room

Loucif Kharouni (Deloitte)

Deloitte TIA seeks to understand financial relationships as part of a broader criminal enterprise. We believe that interesting observations can be drawn by looking at cybercriminals from the perspective of business operations. We begin by seeking answers to the questions: 'What are the most commonly used tools and services sold on underground markets?' and 'What are the average estimated cost of these tools and services?' From here, we can ask critical questions including: 'Which tools are required to operate real-world criminal enterprises?' and 'What are the estimated operating costs of various cybercriminal enterprises?'. We can then examine and compare these criminal enterprises to determine which are the most affordable - from both cost-of-entry and routine operations standpoints.

We began our investigation by looking at the most common services, enablers and tools independently. This allowed us to gauge the average estimated cost in each of these categories. Next, we explored how these related to one another in the context of a criminal enterprise by identifying which were necessary to perform several of the more common malicious activities.

Our investigation led us to several conclusions. First, the underground economy is a diverse but interrelated ecosystem where nearly every criminal enterprise incorporates multiple related, but discrete tools and services. Even the most basic criminal enterprise requires several different tools or services - and all are readily purchased on the black market. Next, we observed that threat actors generally use two business models. In the first, actors offer a low-cost but broadly used tool or service at a large scale. Conversely, a threat actor can pursue a more specialized service that is offered at high cost to comparatively few clients. Finally, we determined that the operational costs of an efficient criminal enterprise can vary widely based on the skill and resource requirements which underlie the good or service. We estimate that some common criminal enterprises can be operated for as little as $34 a month while others may routinely require nearly $3,800 or more.



Loucif Kharouni


Other VB2018 papers

An international 'who-cares-ometer' for cybercrime (partner presentation)

Stephen Cobb (ESET)

Who wasn’t responsible for Olympic Destroyer?

Paul Rascagneres (Cisco Talos)
Warren Mercer (Cisco Talos)

Behind the scenes of the SamSam investigation

Peter Mackenzie (Sophos)
Andrew Brandt (Sophos)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.