Criminal groups have work processes like legal companies!

Study: How cybercriminal groups, as they grow in size, begin to develop processes similar to those in legitimate companies

Trend Micro releases a new study on how cybercriminal groups, as they grow in size, begin to develop processes similar to those in legitimate businesses. However, this comes with associated costs and challenges.

Large criminal “enterprises” spend 80 percent of their operating costs on salaries, the report shows. For smaller criminal groups, the proportion is similarly high at 78 percent. Other common expenses include infrastructure (such as servers, routers, and VPNs), virtual machines, and software.

Trend Micro's report distinguishes three types of criminal "enterprises" based on their size. The researchers use selected groups as examples, which are presented using data from law enforcement authorities and insider information.

Small criminal “enterprises” (e.g. the counter-antivirus service Scan4You):

• Smaller criminal “enterprises” usually have their own management level, between one and five employees and an annual turnover of less than 500,000 euros.
• Employees often take on several tasks within the group and have a main job in addition to this “work”.
• They form the majority of criminal “enterprises” and often work with other criminal groups.

Medium-sized criminal “enterprises” (e.g. the “Bulletproof Hoster” MaxDedi):

• These criminal “enterprises” often have two management levels, six to 49 employees and an annual turnover of up to 50 million euros.
• Its structure is pyramid-like and hierarchical with a single person in charge.

Large criminal “enterprises” (e.g. the Conti ransomware group):

• Large criminal “enterprises” typically have three levels of management, more than 50 employees and an annual turnover of over 50 million euros.
• They have a relatively large number of lower management employees and team leaders.
• They implement effective OPSEC (Operations Security) and collaborate with other criminal organizations.
• Those responsible are experienced cybercriminals and hire several developers, administrators and penetration testers - sometimes only as temporary freelancers.
• Some of them have company-like departments (e.g. IT, HR) and even carry out regular personnel management including performance reviews.

As the study shows, knowledge of the size and complexity of a criminal group can provide investigators with important approaches for their work. For example, the data types you need to look for provide a clue. Larger criminal organizations also store employee lists, financial statements, manuals and tutorials. This also includes merger and acquisition documents, details of employees' crypto wallets, and even shared calendars. When law enforcement authorities know the size of criminal groups, they can better decide which ones to pursue as a priority.

“The criminal underground is becoming increasingly professional – with groups that are becoming more and more similar to reputable companies in their processes. “In addition, as the number of members and revenue increases, the complexity increases,” explains Richard Werner, Business Consultant at Trend Micro. “Larger cybercrime groups are difficult to manage and now have a high level of bureaucracy. As with any company, this includes poor performers and trust issues. Our report shows how important it is for investigators to understand the size of the criminal group they are dealing with.”

Further information
The full study Inside the Halls of a Cybercrime Business can be found HERE .

Also read: Bank card theft: How to protect yourself from cybercriminals!