Services: No need to do it yourself
But just as many enterprises no longer build or even deploy their own in-house tools, so too do many criminals outsource the deployment of their misdeeds. Even if you're sick of the endless "-as-a-service" acronyms in IT (Software-, Infrastructure-, Platform-), you'll need add another one: RaaS, or ransomware-as-a-service.
"RaaS providers give their customers fully functional ransomware with a dashboard to track victims and support services should they need it," says Shier. "In exchange, the authors of the RaaS portal ask for either a percentage of the ransom or a flat fee. The only thing left is for the customer to distribute the ransomware, possibly using the services of a spammer purchased separately or by doing it themselves using the knowledge they gained from the tutorials." And if you need more evidence of this in the real world, experts are now beginning to see the Petya ransomware as a RaaS attack.
Ransomware is only one of a variety of attack options, of course. Nathan Wentzler, chief security strategist at AsTech, says that on the dark web you can pay for "more targeted arrangements that can cross the line from mischievous or 'just another attack' to illegal attacks to obtain specific intellectual property, national defense or military information, and other very sensitive (and valuable) data."
Infrastructure: Why buy if you can rent
There are plenty of more mundane IT services that cybercriminals need, and naturally these are also available on the dark web. Email servers, for instance: "The ability to send and receive your mail in an anonymous way is crucial for many, for good and for bad," says Chris Roberts, chief security architect at Acalvio. You can also buy computer time on other types of servers. "Think of them as AWS for the dark net," says Roberts. "Some care what content you have and some don’t."
And if you're looking to set yourself up as the next Dread Pirate Roberts—well, you're going to need infrastructure to sell things, and again, the dark web can provide. "A group calling itself 'TeamZero' is selling a black market framework, which allows 'merchants' to sell just about anything on the dark web," says Wulkan. "They provide a turnkey infrastructure, just like eBay or Shopify—but for illegal goods and services."
Blueprints, consulting, and more
If you're looking to avoid work (and avoid getting your hands dirty), the dark web will connect you with hackers willing to consult on specific tasks for a specific price. Say you're looking to breach a particular organization. "While you may not find organization-specific attack blueprints, like the stereotypical fraternity test file, you can find things like IP addresses, server locations, or device passwords as well as instructions for executing specific attack types on the deep web," says Stu Bradley, VP of cybersecurity solutions at SAS. "These are enough for the skilled adversary to begin a successful campaign. Or, if you’re too busy or perhaps lack the skill to execute an attack yourself, why not subcontract it out to a hacker? You can easily find a hacker to conduct the attack with a guaranteed service level and money back if you’re not satisfied."
Sign up for CIO Asia eNewsletters.