It may not be fair, but cyber crime is cheap. How cheap? You can buy ransomware for as little as $66, or hire a threat actor for $250. And if you look hard enough, you can even get a phishing kit for free on underground forums. Although these illicit methods may not be expensive, the damage they inflict can be substantial.

The low cost of cyber crime is one of the reasons the number of incidents has increased. This should raise the concern of any business or organization with an online presence. Let’s unpack how companies can protect themselves.

They’ve all gone phishing

Phishing has become more popular than ever. According to the FBI’s Internet Crime Complaint Center, the number of phishing complaints more than doubled in 2020 to 241,342 cases compared to the prior year. From there, attacks doubled again as phishing reached a monthly record in Q3 2021, according to a recent report from the Anti-Phishing Working Group (APWG).

The total number of incidents (reported & unreported) must be higher. A record 2 million phishing sites were reported in 2020, the most in a decade. This comes as no surprise, as phishing kits are so cheap.

Anyone can get a phishing kit

Phishing kits are .zip files with all the scripts required to deploy an attack. These kits enable anyone with minimal programming skills to unleash massive ransomware campaigns. In 2019, the average price of a phishing kit totaled $304, with the prices ranging between $20 and $880.

Recently, Microsoft discovered a campaign that used 300,000 newly created and unique phishing subdomains in one massive run. Microsoft also identified a phishing-as-a-service organization known as BulletProofLink. It resembled any other software-as-a-service brand, with tiered service levels, email and website templates, hosting, a newsletter and even 10% off your first order.

Meanwhile, even attackers get targeted. Some phish kits have been unlocked and posted for free on dark web forums.

Average cost of a ransomware attack

On the other hand, suffering attacks is expensive. According to the IBM Cost of a Data Breach report, in 2021 the average cost of a ransomware attack totaled $4.62 million (not including the ransom, if paid). Compare that to the $66 attackers can pay for a ransomware kit.

Before you quit your day job to become a threat actor, be aware that the law is also ramping up investigative efforts. There’s even some evidence that the FBI can now track and recover funds paid for in cryptocurrency.

Bigger, more sophisticated threats

While ransomware makes the headlines, other, more sophisticated attacks reveal just how far threat actors will go to steal from you. Consider the case of Evaldas Rimasauskas, who, along with his co-conspirators, set up an actual company in Lithuania to mimic Quanta Computer, a Taiwan-based business partner of Google and Facebook.

From there, the imposter company sent phishing emails with fake invoices attached. Before they got caught, they fooled Google and Facebook into paying more than $100 million to bank accounts in Latvia and Cyprus.

Ransomware prevention

Cyber crime continues to increase in scope and depth. Inexpensive phishing attacks lead to higher attack volumes. And phishing accounts for ransomware infections 42% of the time. Another 42% of ransomware attacks occur via exposed remote desktop protocol (RDP) services. RDP service attacks use brute force, weak credentials or phishing to gain access to legitimate usernames and passwords.

Due to the sheer volume and sophistication of attacks, piecemeal security measures are increasingly inadequate. That’s why security experts have also been hard at work to provide viable and effective solutions.

One way organizations are responding is by moving towards a zero trust approach. We can think of it this way: when someone rings your doorbell at home, you check to see who it is before you open the door. Zero trust runs on the same basic premise. Every user, device and connection must be verified, every time.

Zero trust

As the threat landscape becomes more treacherous, better defenses are required. Zero trust incorporates some of the most advanced security methods to keep the growing tsunami of attacks at bay. Some of the methods used in zero trust strategies include:

  • Encrypt and back up your most valuable data
  • Embed artificial intelligence with analytics and deep learning for proactive protection and more accurate detection
  • Add threat response automation and analysis for a faster response
  • Collaborate with hundreds of thousands of users to detect and alert about emerging threats and vulnerabilities as early as possible
  • Identity Access Management (IAM) – Centralized workforce and consumer identity and access management in a single, cloud-native identity solution
  • Secure access service edge (SASE) – A framework that converges network and network security functions into a single cloud service model. Helps authenticate and authorize users anytime, anywhere using a least privilege model.

Fear the future or seize the day?

While no business enjoys having to deal with growing security concerns, modern solutions can also enhance business function. If we take a closer look at SASE, we can see how this win-win scenario unfolds.

Since companies need anytime, anywhere access from any device for their users and third parties, organizations are moving away from virtual private networks. We all want low latency and seamless user experiences. Reliable, real-time context and secure application access to the public cloud are critical for IT and business teams today. This is made possible by SASE, which, in turn, beefs up security.

So yes, threat actors are busier than ever. They have access to cheap attack methods, or they cook up complex schemes. But solid, robust security responses exist as well. They can even be good for business in many other ways. And that’s good news.

More from Risk Management

What Telegram’s recent policy shift means for cyber crime

4 min read - Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain marketplace. In the case of the latter, Telegram cannot be linked to the user’s real phone number or any other personally identifiable information (PII).Telegram has also long been known for its hands-off moderation policy. The platform explicitly stated in its…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today