A man with intense eyes crouches over a laptop in a darkened room, his face and hands hidden by a black ski mask and gloves. The scene is lit only by the computer screen’s eerie glow.
Exaggerated portraits of malicious hackers just like this keep popping up in movies and TV, despite the best efforts of shows like Mr. Robot to depict hackers in a more realistic way. Add a cacophony of news about data breaches that have shaken the U.S. government, taken entire hospital systems hostage, and defrauded the international banking system, and hackers start to sound like omnipotent super-villains.
But the reality is, as usual, less dramatic. While some of the largest cyberattacks have been the work of state-sponsored hackers—the OPM data breach that affected millions of Americans last year, for example, or the Sony hack that revealed Hollywood’s intimate secrets—the vast majority of the world’s quotidian digital malice comes from garden-variety hackers.
And for many of those cybercriminals, hacking is as unglamorous as any other business. That’s what a group of security researchers found when they infiltrated a ring of hackers based in Russia earlier this year, and monitored its dealings over the course of five months.
The researchers were with Flashpoint, an American cybersecurity company that investigates threats on the dark and deep web. Their undercover operation began when they came across a post on a Russian hacker forum on the dark web—a part of the internet that’s inaccessible to regular browsers—that read very much like a get-rich-quick ad you might find on Facebook.
“Good day. This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path,” the ad began, according to Flashpoint’s report. “No fees or advance payments from you are required, only a large and pure desire to make money in your free time.”
The post went on to say that candidates weren’t required to have any particular prior experience. “Even a schoolboy” could do the job, the ad says, and the low-risk work comes with potentially high rewards. The Flashpoint researchers assumed a fake identity and responded.
They got the job, and were admitted to a small cybercrime ring loosely organized around a single crime boss, who farmed out much of his grunt work to a group of 10-15 “affiliates.” The group specialized in ransomware, a type of virus that infects a computer or server and locks away its contents with strong encryption. The attacker then demands a ransom—any amount from several hundred to several thousands of dollars—in exchange for the keys that will free the encrypted files.
In the crime ring, the business relationship was clearly delineated: The boss programmed custom ransomware viruses, which he then distributed to his affiliates. It was the affiliates’ job to infect targets and demand the ransom. Once they deployed the malware, the easy part of the job falls to the boss. He communicates with victims, extracts ransoms via Bitcoin, and shares 40 percent of each payment with the affiliate.
To convince the boss of their fake identities as Russian hackers, the Flashpoint researchers played along with his demands. “He thought that we were actually committing crimes,” said Andrei Barysevich, the firm’s director of Eastern European research and analysis. “He thought that we were infecting random people’s computers, and that we received payments from them, when in reality it was us doing it all in house: We infected our own computers, we made our own payments.”
Barysevich would not reveal how many computers the researchers infected, and how much money they paid out to the ransomware boss.
Posing as one of the kingpin’s 10 or 15 affiliates, the researchers found that they were afforded a surprising measure of independence. Affiliates were expected to find their own victims and set their own ransom demands. Some preferred to cast as wide a net as possible, using networks of compromised computers called botnets to infect many computers at once. Others preferred to chase high-value targets like rich individuals or critical services—think hospitals or government agencies—that might be willing to pay much higher ransoms to regain access to their systems.
Flashpoint found that the average payout from a successful ransom ask was about 300 dollars. But not every infection led to a payout: In a large-scale, opportunistic attack, between 5 and 10 percent of victims actually pay the ransom, Barysevich said. With 10 or 15 associates working to infect new victims, the crew was only able to extract an average of one ransom a day.
Nobody’s getting filthy rich with that sort of cash flow, but the ransomware boss certainly makes out well. The ringleader made about 7,500 dollars a month, Flashpoint estimated—about 17 times the average monthly salary in Russia. Even the boss’s affiliates, who get less than half of each ransom that they extract, make a decent wage. They earned an average of 600 dollars a month, or about 40 percent more than the average Russian worker.
That’s a pretty good salary for a position that doesn’t require sophisticated technical skills. Barysevich says most affiliates relied on other people for the tools they needed to infect computers, like buying already-established botnets. Cooperative models that free cybercriminals from having to actually program a virus has opened up the criminal-hacking field, allowing a much larger and more diverse group of people to enter.
“It is easier for someone without any technical knowledge, without any engineering skills, to engage in cybercriminal activities right now, compared to, say, five years ago,” Barysevich said. “And it will get even easier in the coming years.”