Microsoft Reveals the Cost Hackers Pay to Steal Your Data
Over the past two years, the world has witnessed a dramatic increase in cybercrime attacks and complexity. The true scope of attacks is largely unknown due to the fact that not all victims publicly release attack data. However, based on reported data, we know that in 2021, Government institutions, education, healthcare, services, technology, and manufacturing were the hardest hit industries. The drastic increase in attacks can be attributed to our shift to work-from-anywhere, geo-political tensions, wide availability of hacking tools, and state-sponsored funding of attacks. As WatchGuard identifies in their 2022 security predictions, groups selling to state-sponsored organizations are mostly responsible for funding much of the sophisticated threats and vulnerabilities targeting mobile devices. With state sponsorship funding attacks and the rise of ransomware as a service, we’ve witnessed attackers treating their attacks as a true business with profit, loss, cash flow, and even marketing / public image. We even saw a hacking group create a fake company, called Boston Secure, to hire legitimate programmers as part of its expansion into ransomware. The recruits were unwittingly employed in real-life cyberattacks under the guise of red team simulations.
Hackers are treating cybercrime as a real business because to them it is, and the earning potentials continue to skyrocket. According to new estimates from Cybersecurity Ventures, ransomware costs are projected to reach $265 billion by 2031. What’s more, they predict, “There will be a new attack every two seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities.”
Like any business, bad actors have expenses and with the advent of ransomware-as-a-service (RaaS) and hackers for hire, it can be surprising how small the investment can be to steal your data. According to new research from Microsoft, attackers for hire start at only $250 USD per job, and ransomware kits are available for only $66 USD or 30% of the profit. Compromised devices start at 13 cents per PC and 82 cents per mobile device. Spear phishing for hire ranges from $100 to $1,000 USD. Stolen username and password pairs begin at 97 cents per 1000 on average.
Average prices of cybercrime services for sale
Just like the supply chains they attack; hackers have their own supply chains in attack services. These supply chains are sophisticated and mature where specialists create attack kits that attackers buy and incorporate into their campaigns. According to Microsoft, “increased demand for these services, an economy of specialized services has surfaced, and threat actors are increasing automation to drive down their costs and increase scale.”
Attackers are also selling compromised credentials that may have been obtained from phishing, scraping botnet logs or other credential harvesting techniques, imposter domain names, phishing-as-a-service, and customized lead generation by country, industry, or roles.