While small cybercrime organisations typically consist of a few members who operate under a partnership model, most of whom usually have day jobs on top of their role in the group, employees of larger groups tend to lead lives similar to corporate workers at legitimate software companies.
This is from Trend Micro’s Inside Halls of Cybercrime Business report, examined the operations of small, medium, and large criminal groups.
Large cybercrime organisations tend to have corporate-like departments such as human resources (HR) and information technology (IT), and might even have “employee-of-the-month” recognition programs and performance reviews.
Nilesh Jain, VP of Southeast Asia & India at Trend Micro, said the criminal underground is rapidly professionalising — groups are beginning to mimic legitimate businesses that grow in complexity as their membership and revenue increases.
“Our latest Cyber Risk Index revealed that 89% of Asia Pacific organisations are somewhat to very likely to be compromised in the next 12 months, so this report will aid investigators in the ongoing fight against cybercrime by helping them better understand the criminal entities they are dealing with,” said Jain.
Using examples where Trend Micro collected the most data from law enforcement and insider information, the report examined three types of cybercrime organisations based on size.
In small criminal businesses like Counter Anti-Virus service Scan4You, members often handle multiple tasks within the group and also have a day job on top of this work.
Small gangs typically, one management layer, up to five staff members, and under US$500,000 in annual turnover. Comprise the majority of criminal businesses, often partnering with other criminal entities.
In medium-sized criminal businesses like bulletproof hoster MaxDedi, members work full-time for the group, managing various tasks within an eight-hour shift.
These typically have two management layers, six to 49 employees, and up to $50 million in annual turnover. They usually have a pyramid-style hierarchical structure with a single person in charge.
In large criminal businesses like ransomware group Conti, members work from home based on a rigid, predictable schedule, and communicate frequently with their line manager about productivity and performance — similar to remote workers at legitimate corporations.
Large gangs typically have three management layers, at least 50 staff members, and over $50 million in annual turnover. They implement effective OPSEC and partner with other criminal organisations.
Those in charge are seasoned cybercriminals and hire multiple developers, administrators, and penetration testers – including short-term contractors. They may have corporate-like departments like IT and HR, and even run employee programs such as performance reviews.
Trend Micro said knowing the size and complexity of a criminal organisation can provide critical clues to investigators, such as what types of data to hunt for.
Understanding the size of targeted criminal organisations can also allow law enforcers to prioritise better which groups should be pursued for maximum impact.