Skip to main content
  1. Posts/

Robot vs. Robot - May the Best AI Win

·1059 words·5 mins

by: Mikko Hyppönen

Mikko Hyppönen from WithSecure reflects on the evolution of fighting cybercrime from the early days to the present and beyond.
Mikko Hyppönen from WithSecure reflects on the evolution of fighting cybercrime from the early days to the present and beyond.

I’ve been in this industry forever. I still remember combating teenage boys who were writing malware for fun. Back then, money was not a motive at all. Nobody was writing viruses and hacking servers to make money.

Cybercrime - It Became Mostly About the Money #

I remember predicting that one day virus writers could start to make money with their attacks. Some people found that scenario unbelievable, but that’s exactly what happened. The change started for real around 2003, when spammers sending junk email joined forces with malware writers.

Initially, the most efficient way to stop spam email was to compile a list of the email servers being used for spamming and then just blacklist the servers. Spammers tried to work around this by deploying new servers continuously, but that only got them so far.

Spammers then figured out that they could use infected home computers to reroute spam mails. As an end result, infected home computers quickly became a tradable commodity. The sellers were virus writers who, for the first time, could make money with their malware writing. This was a clear turning point. The age of career criminals in malware had started. Eventually, malware used by criminals would migrate from spam botnets to new areas, such as keyloggers, banking trojans and ransomware.

Cybercrime Unicorns, a Prediction #

Couple of years ago, I coined a new term: cybercrime unicorns. Here, unicorns is a reference to technology startups with billion-dollar valuations. I had started wondering whether we would eventually see professional cybercrime groups wealthy enough to be considered unicorns.

The amount of money taken in by cybercrime gangs has more or less doubled each year. In addition, the assets owned by the gangs have continued to increase in value. This is because cyber criminals do not store their wealth in dollars or euros: they keep it in Bitcoin. Five years ago, we knew of several gangs worth around $10 million. In five years, the increase in value of one Bitcoin has changed that $10 million to $100 million.

Cybercrime as Professional Business #

Attacks are becoming more serious because cybercriminals can afford to invest in them. Once the gang leaders have bought the mandatory Lambos and Ferraris for themselves, they start investing in growth of their operations. The gangs can run professional data centers and build imposing online brands. We know of at least two cases where career criminals set up an information security company as a front and recruited penetration testing professionals to work there. IT security professionals may have ended up working for cybercriminals as a result.

One of my contacts has information which would indicate that a ransomware gang has their own business analyst, tasked with estimating the right size of a ransom demand for each victim. His work is enabled by the tactic where the gang would steal bookkeeping information from the victim’s network and hand it to their own analyst.

Initial Access Brokers, IABs #

In addition, these gangs can purchase straight access to hacked companies from initial access brokers (IABs). The success of the IAB model is illustrated not only by their use across the cybercrime landscape, but by the fact that even Nation States attackers, such as North Korea, have used IABs to gain access to their targets.

The service orientated underground economy has created a market in which initial access brokers can thrive. IABs first gain a foothold on victim organizations, and then offer that access for sale on the underground forums. The initial access can be attained via phishing attacks or by scanning the internet for publicly accessible vulnerable services. Initial Access Brokers significantly lower the bar for attackers, such as ransomware groups. Initial access brokers enable criminal network access for as little effort and investment as possible.

Ransomware Affiliates or RaaS #

Another example of the maturity of the cybercrime industry is that major ransomware groups (such as Lockbit, Clop and Alpha) are operating a service provider model, where they supply tooling and expertise to their affiliates, and in return take a cut of the profits. This is known as Ransomware-as-a-Service, or RaaS. This has driven the rapid development of a criminal service industry, providing all the tools and services that a threat group could ever need.

The Next Era of Cybercrime #

What’s going to happen next?

We believe the next area of investment for organized cybercrime gangs will be service automation, most likely using machine learning or generative AI. At WithSecure, we’ve been developing machine learning-based cybersecurity systems for many years and began developing automation for analysis in our labs in 2005. Yes, 2005 – we we’re really early. These automation projects have since evolved into full-blown machine-learning frameworks. All this time we’ve been waiting for our enemies to make the same move.

Automated Defense #

We the defenders have been able to automate our work, enabling excellent detection, analysis and reaction times. Most of this happens hands-free at machine speed. This contrasts with attackers who have been building and deploying their attacks manually, meaning that when they get blocked, they have to change things manually – at much slower human speed. Right now, the situation can be likened to a game of Ping Pong between a human (attacker) and a robot (defender). The robot is superior in speed. Once the attackers migrate to automated operations, it will be a game of robot against a robot.

Automated Malware Campaigns #

The technology to run malware campaigns and automatically bypass new defenses is most definitely already doable nowadays, but thus far, we haven’t seen them. How do we know the malware gangs are not running fully automated malware campaigns already? Because they are too slow. When they upgrade to machine speed, we will notice for sure.

And then we will see that the only thing that can stop a bad AI is a good AI.


Give Us Feedback or Subscribe to Our Newsletter #

If this post pushed your buttons one way or another, then please give us some feedback below. The easiest way to make sure that you will not miss a post is to subscribe to our monthly newsletter. We will not spam you with frivolous marketing messages either, nor share your contact details with nefarious marketing people. 😉