Security Experts:

Connect with us

Hi, what are you looking for?



Defeating the Organized Cybercrime Ecosystem

The recent attack against users of the Kaseya VSA platform is yet another example of the increasingly organized dynamic of cybercrime. The days of the lone attacker are long gone; these attacks are now big business with significant reconnaissance. Unofficial reports have identified the REvil ransomware threat actors as being behind this supply chain attack.

The recent attack against users of the Kaseya VSA platform is yet another example of the increasingly organized dynamic of cybercrime. The days of the lone attacker are long gone; these attacks are now big business with significant reconnaissance. Unofficial reports have identified the REvil ransomware threat actors as being behind this supply chain attack. REvil has been attributed to the DarkSide actors who most recently attacked Colonial Pipeline and JBS foods back in May. The Russian-based criminal organization uses a ransomware-as-a-service model; its hackers develop and sell ransomware hacking tools to criminal affiliates, who then carry out the actual attacks.

These attacks demonstrate the fact that an organized cybercrime network is flourishing under the surface. In today’s cybercrime landscape, many cybercriminals are now operating as large, distributed businesses. And many are targeting large corporations and industries or high-profile individuals to get the highest return on their investment – a strategy known as “Big Game Hunting.” 

Beneath the tip of the iceberg

We tend to focus on the attack surface when it comes to cybersecurity, but the reality is, much like an iceberg, there’s so much more lurking beneath the surface. The attack surface is porous. In other words, there are many different vectors and points of entry, and those create vulnerabilities. 

But then, what about the mechanisms– the ways and means of infiltrating those vectors and points of entry? Those represent the phishing emails or other such attempts to exploit the vulnerable surface, so that bad actors can then execute malware or ransomware attacks. But, we can’t just focus our efforts in the cybersecurity community on the ways and means. We must remember that what lies beneath the attack surface is an entire, flourishing cybercrime ecosystem. We must start examining how they’re organizing, how they’re creating those weapons and how they’re operating. 

Exploring the cybercrime ecosystem

Cybercrime is increasingly organized; there are entire criminal supply chains, which means hacking has become much more sophisticated and dangerous. For instance, more than half of all attacks are managed by cybercrime organizations that are better organized than most companies. They have CEOs, account managers and dedicated call centers that help victims pay their ransoms. Their revenue streams are stolen data and extortion. Their Cybercrime-as-a-Service ecosystem is one of the primary reasons why the cybercrime industry continues to grow dramatically and generates more than one trillion dollars in revenue each year.  

DarkSide is just one example of this type of increasingly organized cybercriminal operation.

Another example is the group known as Sodinokibi (aka REvil), which uses a Ransomware-as-a-Service business model, and recruits affiliates to distribute their ransomware. Their exploits include stealing nearly a terabyte of data and demanding a ransom to not publish it. 

Getting ahead of the criminals

Modern attacks and the increasingly organized cybercrime ecosystem are putting data, assets, and lives at risk. Action must be taken now using a two-pronged approach. First, organizations in the public and private sectors need to collaborate to take down the supply chains of these criminal ecosystems: their affiliates. This will have a tremendous impact because it reduces the profitability for these bad actors, producing a huge ripple effect. Otherwise, this problem will just continue to get worse, with increasingly dire impact.

The other prong is that organizations must become more proactive, using real-time endpoint protection, detection and automated response solutions to make their environments secure. 

Technically speaking, network segmentation, encryption cyber hygiene and zero-trust policies (and relatedly, zero trust network access) offer protections. Further, these strategies work best when organizations use asset visibility tools to identify their critical assets. Once they know where the data resides, they can create a strategy of proactive protection.

Proactive protection on two fronts

Malicious actors have matured over time, increasing their threat level and their profit. Modern cybercrime has its own ecosystem of affiliates, but that ecosystem is ripe for disruption. Disrupting these “supply chains” is an opportunity to stop criminals in their tracks. Though ransomware affiliates are proliferating, public and private organizations can join forces to dismantle affiliate programs. This is the big picture goal, but on the more micro level, individual organizations can implement proactive security tools to find and eliminate threats before bad actors can score.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...