For all the symbols on the picture above, this history could be summed up in one: $

Until 2006, cybercriminals behaved much like thieves in the physical world – trying to reach the “crown jewels” of an organization that held the most profit, then get the money and run.

But that year, something changed. Evgeniy Mikhailovich Bogachev (a.k.a. Slavik) created what initially appeared to be just another interesting malware. It soon solidified his place as one of the top innovators of the cybercrime industry and has become a fundamental milestone in malware evolution.

His invention, Zeus (a.k.a. Zbot), was revolutionary in numerous aspects. First, it was developed as a professional malware kit for criminal groups. Second, and most importantly, it established a new, improved business model for cybercrime. Zeus established a kit for creating banking Trojans, providing malware to be installed on victims’ endpoints, hook to their browsers and try to steal important data that victims entered in website forms – specifically, passwords for online banking accounts.

In September 2013, Slavik released CryptoLocker, the first modern ransomware and another milestone in malware evolution. CryptoLocker is malware that is installed on victims’ endpoints, encrypts their files and demands a ransom in exchange for decrypting the corrupted files. It began the rise of crypto-ransomware we’re still experiencing today.

6 Reasons Why Cybercriminals Love the New Business Model

Both Zeus and CryptoLocker created a new type of business model for cybercriminals: rather than concentrating all their efforts on penetrating high-quality targets, they can steal small amounts of money from numerous victims.

The business model of distributed cybercrime has made some attackers multi-millionaires in a short amount of time due to its many business benefits:

  1. Attacks require less effort as they target “low-hanging fruit” (i.e., individuals or organizations with sub-par security)
  2. Attack skill level is low compared to techniques such as spear-phishing – regular ol’ phishing is good enough for weak targets
  3. Highly coveted zero-day vulnerabilities are no longer required for profitable attacks – mainstream CVE vulnerabilities with known exploits and existing patches will do, as many victims don’t patch regularly
  4. Any standard endpoint is a potential source of revenue, making lateral movement toward the crown jewels irrelevant
  5. When you attack the world, the sky is the limit – the amount of potential revenues is endless
  6. Less effort and more profit means better ROI

And as long as that ROI stays high, you can expect cybercriminals to invest ever-more resources into developing distributed crimeware to unleash on the widest possible range of targets.