How These Cybercrime Businesses Typically Operate

by: Michael M. Ralph | Cybersecurity, Legal Services

Here's a breakdown of how a typical cybercrime business operates, especially those behind large-scale attacks like ransomware, phishing, or data breaches. It mirrors a legitimate startup in many ways, but its product is crime.

1. Business Model Selection

Cybercriminals choose a model that generates profit:

Model Description

Ransomware-as-a-Service Sell or rent ransomware tools to affiliates. The creator gets a cut of ransom payments.

(RaaS)

Phishing-as-a-Service Provide phishing kits or spoofed sites for a fee.

(PhaaS)

Data Breach and Sale Steal data and sell on dark web markets.

Credential Stuffing Use leaked passwords to break into other accounts. (Huge Topic)

Cryptojacking Hijack devices to mine cryptocurrency.

2. Team Structure

Just like a legitimate company:

Role Function

Developers Build and update malware, phishing kits, exploits

Operations Manage infrastructure (servers, VPNs, botnets)

Social Engineers Craft emails, voice calls, or messages to manipulate targets

Sales/Support Communicate with victims (e.g., via ransomware chat portals)

Money Mules Launder the profits through crypto or shell accounts

3. Tool Development or Purchase

They either:

• Build in-house malware or attack tools

• Buy/rent from black markets (e.g., exploit kits, zero-day vulnerabilities, phishing templates)

• Think of it like software licensing, but for crimeware.

4. Target Acquisition

Targets are selected through:

• Reconnaissance (scanning for vulnerabilities or open ports)

• Data mining (buying breached credentials or insider info)

• Social engineering (LinkedIn profiling, email scraping, etc.)

They often go for:

• Organizations with weak defenses

• High-value targets (e.g., hospitals, municipalities) Large file content of pedigree information

• Employees susceptible to phishing

5. Execution of the Attack

Once targets are picked, they launch:

• Phishing campaigns to deliver malware or steal credentials

• Exploit-based intrusions via vulnerabilities

• Credential stuffing attacks from leaked databases

• Drive-by downloads through malicious ads or fake sites

6. Monetization

How they profit:

• Ransomware: Demand Bitcoin to unlock files

• Data theft: Sell PII, credit cards, or trade secrets

• Bank fraud: Transfer funds or commit identity theft

• Crypto mining: Use infected machines for profit

They typically:

• Use cryptocurrency to receive payments

• Launder money through mixers, exchanges, or mules

7. Evade Detection

To stay operational:

• Use bulletproof hosting (ISPs that ignore abuse complaints)

• Routinely rotate infrastructure

• Employ encryption and obfuscation in code

• Keep a low profile when needed, avoiding unnecessary noise

8. Reinvest & Scale

Like any business, profits are reinvested:

• Hire more talent (e.g., on dark web job boards)

• Acquire better tools or stolen data

• Increase campaign reach or automation

• Improve customer support (some offer real-time ransomware support chats!)

Example: Ransomware-as-a-Service (RaaS)

A real-world example looks like this:

1. RaaS developer creates the ransomware code and infrastructure.

2. Affiliates sign up to distribute it (via phishing, exploits, etc.).

3. Victims get infected and see a ransom note.

4. The affiliate gets a share (e.g., 70%) of ransom payments; the RaaS operator gets the rest.

5. Everyone profits and reinvests into future attacks.

Their operating the same way that your marketing team conducts itself with your customers. They run campaigns, run their converstions, make the calls, and track the results.

Thank you for reading.