The Cartelization of Cybercrime: Evolving Organized Crime Structures in the Ransomware-as-a-Service Ecosystem

Abstract

This research report analyzes the evolving structure of cybercrime organizations, focusing on the emergent “cartelization” of Ransomware-as-a-Service (RaaS) ecosystems. While the DragonForce example illustrates a potential instantiation of this model, this report explores the broader phenomenon of cybercrime cartels, examining their organizational structures, profit-sharing mechanisms, risk distribution, and the implications for both participants and law enforcement. Furthermore, the report investigates the ethical dimensions of cybercrime, specifically the existence and nature of self-imposed limitations within these organizations, including target selection and operational boundaries. This analysis draws upon existing literature on organized crime, cybersecurity, and criminology to provide a comprehensive understanding of the cybercrime cartel and its potential impact on the global security landscape.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction

The landscape of cybercrime is in a constant state of flux, driven by technological advancements, shifting economic incentives, and evolving organizational structures. Traditional models of cybercriminal activity, often depicted as isolated actors or loosely affiliated groups, are increasingly giving way to more sophisticated and highly organized entities. This report argues that the emergence of “cybercrime cartels” represents a significant paradigm shift, characterized by centralized leadership, compartmentalized operations, and a focus on maximizing profits through strategic collaboration and resource allocation. While the DragonForce example is a case in point, the intent of this report is to explore a generalised model for cybercrime cartels. This phenomenon requires a thorough investigation, examining the mechanisms driving cartelization, the benefits and risks for participants, and the strategies necessary to effectively disrupt these criminal networks.

The traditional model of cybercrime often involved independent actors or small, loosely affiliated groups engaging in activities such as phishing, malware distribution, or data theft. However, the rise of Ransomware-as-a-Service (RaaS) has fundamentally altered this landscape. RaaS platforms provide aspiring cybercriminals with access to sophisticated ransomware tools and infrastructure, significantly lowering the barriers to entry and facilitating the proliferation of ransomware attacks. This has led to a fragmented and decentralized ecosystem, characterized by intense competition and a lack of coordination.

The cybercrime cartel model represents a response to these challenges. By centralizing control and coordinating activities, these cartels aim to achieve greater efficiency, reduce competition, and increase overall profitability. This can involve consolidating RaaS platforms, coordinating attack strategies, and establishing clear hierarchies for decision-making and profit distribution. While the term “cartel” may evoke images of traditional organized crime groups, cybercrime cartels possess unique characteristics, operating in a virtual environment and leveraging technology to facilitate their activities. This report explores the nuances of this emerging phenomenon, examining the factors driving its emergence and the implications for cybersecurity.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Defining the Cybercrime Cartel: Structure and Characteristics

While the term “cartel” is commonly associated with drug trafficking or other forms of traditional organized crime, its application to cybercrime requires careful consideration. For the purposes of this report, a cybercrime cartel is defined as a structured criminal organization characterized by the following elements:

• Centralized Leadership: A clearly defined leadership structure responsible for setting overall strategy, coordinating operations, and managing resources. This may involve a single individual or a small group of individuals with significant control over the organization.
• Compartmentalization: The division of labor into specialized roles, with each team or individual responsible for a specific aspect of the operation. This compartmentalization enhances security by limiting the knowledge that any single individual has about the overall operation.
• Strategic Collaboration: Formal or informal agreements between different cybercriminal groups to coordinate attacks, share resources, or avoid competition. This collaboration can take various forms, ranging from simple partnerships to more complex agreements involving profit-sharing and risk-sharing.
• Control over Resources: The control and management of essential resources, such as RaaS platforms, botnets, zero-day exploits, and stolen data. This control allows the cartel to exert influence over the broader cybercrime ecosystem and extract value from its assets.
• Market Regulation: Attempts to influence or control the cybercrime market, such as setting prices for ransomware demands, establishing standards for data encryption, or suppressing competition from rival groups.
• Profit Distribution: A clearly defined system for distributing profits among members of the organization, based on their contributions and level of involvement. This system may involve a combination of fixed salaries, performance-based bonuses, and equity stakes in the cartel’s assets.

Unlike traditional crime cartels, cybercrime cartels operate primarily in the digital realm. This allows them to transcend geographical boundaries, recruit talent from around the world, and operate with a high degree of anonymity. The lack of physical infrastructure also makes it more difficult for law enforcement to identify and disrupt these organizations.

The structure of a cybercrime cartel can vary depending on its size, scope, and objectives. Some cartels may be highly centralized, with a rigid hierarchy and strict command-and-control. Others may be more decentralized, with a network of semi-autonomous teams operating under a shared set of principles. The DragonForce example can be seen as an attempt to move a loosely affiliated RaaS model towards a more centralised model.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. Roles and Responsibilities Within a Cybercrime Cartel

Within a cybercrime cartel, different individuals and groups play specific roles, each contributing to the overall success of the organization. These roles can be broadly categorized as follows:

• Leadership: Responsible for setting overall strategy, coordinating operations, and managing resources. This role requires a deep understanding of the cybercrime landscape, as well as strong leadership and management skills.
• RaaS Platform Operators: Develop and maintain the RaaS platforms used to conduct ransomware attacks. This role requires strong technical skills in software development, network security, and cryptography.
• Affiliates: Conduct the actual ransomware attacks, using the RaaS platform and other tools provided by the cartel. Affiliates are responsible for identifying targets, deploying ransomware, and negotiating ransom payments.
• Developers: Responsible for developing and maintaining the malware and other tools used by the cartel. This role requires advanced programming skills and a deep understanding of cybersecurity vulnerabilities.
• Network Administrators: Manage and maintain the cartel’s network infrastructure, including servers, networks, and communication channels. This role requires strong network security skills and experience in managing large-scale systems.
• Money Launderers: Responsible for laundering the proceeds of cybercrime, converting them into legitimate assets. This role requires a deep understanding of financial regulations and techniques for evading detection.
• Intelligence Gatherers: Responsible for gathering intelligence on potential targets, including their network infrastructure, security vulnerabilities, and financial resources. This role requires strong research skills and experience in open-source intelligence (OSINT) techniques.
• Negotiators: Responsible for negotiating ransom payments with victims. This role requires strong communication and negotiation skills, as well as a deep understanding of the psychology of victims.

Each of these roles is critical to the success of the cartel. By compartmentalizing operations and assigning specialized roles, the cartel can improve efficiency, reduce risk, and increase overall profitability. The relationships between these roles are dynamic and can evolve over time, as the cartel adapts to changing circumstances.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. The Economics of Cybercrime Cartels: Profit Sharing and Risk Distribution

The economic model of a cybercrime cartel is crucial to its success. Understanding how profits are generated, distributed, and risks are managed is essential for comprehending the incentives driving participation and the potential vulnerabilities that can be exploited to disrupt these organizations.

Profit Sharing: The distribution of profits within a cybercrime cartel is typically based on a pre-defined agreement that takes into account the contributions of each member. This agreement may be formalized in a contract or simply based on informal understandings. The percentage of profits allocated to each role can vary depending on the cartel’s structure, the value of the role, and the level of risk involved. RaaS platform operators typically receive a percentage of the ransom payments generated by their affiliates. Affiliates also receive a percentage of the ransom payments, with the remainder going to the cartel leadership or other supporting roles. Other roles, such as developers and network administrators, may receive fixed salaries or performance-based bonuses.

Risk Distribution: Cybercrime is inherently risky, and the distribution of these risks is a key factor in the success of a cartel. The risks associated with cybercrime can be broadly categorized as follows:

• Legal Risk: The risk of being arrested and prosecuted for criminal activities. This risk is typically borne by the affiliates who conduct the actual attacks. The cartel leadership may attempt to mitigate this risk by operating from countries with lax cybercrime laws or by using sophisticated anonymization techniques.
• Financial Risk: The risk of losing money due to failed attacks, law enforcement seizures, or internal theft. This risk is typically shared among all members of the cartel, with the leadership bearing the greatest financial risk.
• Reputational Risk: The risk of damaging the cartel’s reputation due to failed attacks, internal disputes, or negative media coverage. This risk can be particularly damaging to RaaS platforms, as it can deter potential affiliates from using their services.

Cartels manage these risks by implementing various strategies, such as compartmentalizing operations, using encryption and anonymization tools, and operating from jurisdictions with weak law enforcement. They may also invest in cybersecurity measures to protect their infrastructure from attack.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Benefits and Risks of Participating in a Cybercrime Cartel

Participating in a cybercrime cartel offers both potential benefits and significant risks for its members. These factors must be carefully weighed by individuals considering joining such an organization.

Benefits:

• Access to Resources: Access to sophisticated RaaS platforms, malware, and other tools that would otherwise be unavailable to individual cybercriminals.
• Reduced Competition: The opportunity to operate in a less competitive environment, with the backing of a powerful organization.
• Increased Profits: The potential to earn significantly more money than would be possible as an independent cybercriminal.
• Protection from Law Enforcement: The potential for protection from law enforcement, due to the cartel’s resources and sophisticated security measures.
• Learning Opportunities: The opportunity to learn from experienced cybercriminals and develop valuable skills.

Risks:

• Legal Risk: The risk of being arrested and prosecuted for criminal activities, which can result in lengthy prison sentences and significant fines.
• Financial Risk: The risk of losing money due to failed attacks, law enforcement seizures, or internal theft.
• Reputational Risk: The risk of damaging one’s reputation due to association with a criminal organization.
• Risk of Internal Violence: The risk of violence or retribution from other members of the cartel, in the event of disputes or betrayals.
• Loss of Autonomy: The loss of autonomy and independence, as members are required to follow the cartel’s rules and directives.

The balance between these benefits and risks will vary depending on the individual’s role within the cartel, their level of involvement, and their risk tolerance. The decision to participate in a cybercrime cartel is a complex one, with potentially life-altering consequences.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Targeting Taboos and the Moral Compass in Cybercrime

An intriguing aspect of cybercrime, particularly within organized structures like cartels, is the presence of, or perceived absence of, ethical boundaries. While the very nature of cybercrime is inherently unethical, some actors may exhibit a selective moral compass, avoiding certain targets or types of attacks. This section explores the concept of targeting taboos and the moral compass in cybercrime.

It’s important to note that the idea of a “moral compass” within a criminal enterprise is complex and often contradictory. What might appear as ethical restraint could simply be a pragmatic calculation of risk versus reward. Targeting certain entities, such as hospitals or critical infrastructure, may attract greater law enforcement attention, leading to increased risk for the cartel. Similarly, targeting specific demographics, such as children or the elderly, might generate greater public outrage and pressure on law enforcement to take action.

However, anecdotal evidence and interviews with former cybercriminals suggest that some individuals do exhibit a degree of ethical selectivity. This can manifest in several ways:

• Avoiding Specific Targets: Some cybercriminals may refuse to target hospitals, emergency services, or other organizations that provide essential services. This may be due to a genuine concern for the potential harm that could be caused by disrupting these services.
• Avoiding Specific Types of Attacks: Some cybercriminals may refuse to engage in certain types of attacks, such as those that could result in physical harm or death. For example, they may avoid attacks that could disrupt power grids or water supplies.
• Avoiding Targeting Individuals: Some cybercriminals may prefer to target organizations rather than individuals, believing that organizations are better equipped to withstand the financial losses and reputational damage caused by cyberattacks.

The reasons for these targeting taboos are varied and can include:

• Fear of Law Enforcement: As mentioned earlier, some targets may attract greater law enforcement attention, leading to increased risk.
• Guilt and Remorse: Some cybercriminals may experience guilt or remorse over the harm caused by their actions, leading them to avoid targets that they perceive as particularly vulnerable or deserving of protection.
• Personal Values: Some cybercriminals may hold personal values that conflict with certain types of attacks. For example, they may believe that it is wrong to target children or the elderly, regardless of the potential financial gain.
• Reputational Concerns: Even within the criminal underworld, reputation matters. Targeting certain entities may damage the cybercriminal’s reputation, making it more difficult to recruit new members or conduct business with other criminals.

It is crucial to recognize that these targeting taboos are not universal and can vary depending on the individual, the cartel, and the specific circumstances. Some cybercriminals may have no ethical qualms about targeting any entity, regardless of the potential harm. However, the existence of these taboos suggests that even within the criminal underworld, there are limits to what some individuals are willing to do.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Law Enforcement Strategies for Targeting Cybercrime Cartels

Disrupting and dismantling cybercrime cartels requires a multifaceted approach that addresses both the technical and organizational aspects of these criminal enterprises. Traditional law enforcement strategies, such as arrests and asset seizures, are important, but they are often insufficient to effectively counter the threat posed by cybercrime cartels.

More effective strategies include:

• Intelligence Gathering: Gathering intelligence on the structure, operations, and members of cybercrime cartels. This can involve using a variety of techniques, such as human intelligence (HUMINT), signals intelligence (SIGINT), and open-source intelligence (OSINT).
• International Cooperation: Collaborating with law enforcement agencies in other countries to investigate and prosecute cybercrime cartels. This is essential, as cybercrime cartels often operate across international borders.
• Cybersecurity Partnerships: Working with cybersecurity companies and other organizations to share threat intelligence and develop effective defenses against cyberattacks.
• Financial Investigations: Tracking the flow of money through the cartel’s financial network and seizing assets used to finance their activities.
• Undercover Operations: Infiltrating cybercrime cartels with undercover agents to gather evidence and disrupt their operations.
• Technical Disruption: Disrupting the cartel’s technical infrastructure, such as servers, networks, and communication channels.
• Targeting Key Individuals: Focusing on arresting and prosecuting key individuals within the cartel, such as the leaders, RaaS platform operators, and money launderers.
• Promoting Whistleblowing: Encouraging individuals within the cartel to come forward with information about their activities, in exchange for immunity or reduced sentences.
• Public Awareness Campaigns: Educating the public about the risks of cybercrime and providing tips on how to protect themselves from cyberattacks.

Effective law enforcement strategies must be adaptable and responsive to the evolving tactics of cybercrime cartels. This requires a continuous investment in training, technology, and intelligence gathering. Furthermore, it requires a strong commitment to international cooperation and public-private partnerships.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

8. Conclusion

The emergence of cybercrime cartels represents a significant evolution in the landscape of cybercrime. These organizations, characterized by centralized leadership, compartmentalized operations, and strategic collaboration, pose a significant threat to individuals, businesses, and governments worldwide. Understanding the structure, economics, and ethical dimensions of cybercrime cartels is essential for developing effective strategies to disrupt and dismantle these criminal enterprises.

While the DragonForce example may represent one instantiation of this model, this report has attempted to explore a generalised cybercrime cartel structure. Law enforcement agencies must adopt a multifaceted approach, combining traditional investigative techniques with cutting-edge cybersecurity measures and international cooperation. By targeting key individuals, disrupting their technical infrastructure, and seizing their assets, law enforcement can effectively weaken these organizations and reduce the threat they pose. Furthermore, addressing the underlying economic incentives that drive participation in cybercrime cartels is crucial for preventing the emergence of new criminal organizations. This requires a concerted effort to improve cybersecurity, reduce the profitability of cybercrime, and increase the risk of detection and prosecution.

Further research is needed to fully understand the dynamics of cybercrime cartels and develop more effective strategies for combating them. This research should focus on the following areas:

• Analyzing the organizational structures of different cybercrime cartels.
• Developing models for predicting the emergence of new cybercrime cartels.
• Evaluating the effectiveness of different law enforcement strategies.
• Investigating the ethical dimensions of cybercrime and the factors that influence targeting decisions.
• Developing technologies for detecting and disrupting cybercrime cartels.

By investing in research and developing effective strategies, we can mitigate the threat posed by cybercrime cartels and protect individuals, businesses, and governments from their harmful activities.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

• Anderson, R., Barton, M., Bohme, R., Clayton, R., van Eeten, M. J., Levi, M., … & Savage, S. (2008). Economics of Information Security. MIT Press.
• Clough, J. (2010). Principles of cybercrime. Cambridge University Press.
• Cunningham, W. R. (2011). Understanding Crime: Theory and Practice. SAGE Publications.
• Europol. (2022). Internet Organised Crime Threat Assessment (IOCTA) 2022. Publications Office of the European Union.
• FBI. (n.d.). Internet Crime Complaint Center (IC3). Retrieved from https://www.ic3.gov/
• Krebs, B. (2014). Spam Nation: The Inside Story of Organized Cybercrime–from Global Epidemic to Your Front Door. W. W. Norton & Company.
• Lusthaus, J., & Morselli, C. (2014). The organization of cybercrime. Trends in Organized Crime, 17(3), 230-239.
• Morselli, C. (2009). Inside criminal networks. Willan Publishing.
• Newman, G. R., & Clarke, R. V. (2003). Situational crime prevention. In 21st century criminology: A reference handbook (pp. 186-194). Sage Publications.
• OECD. (2012). The Economic and Social Impact of Internet Crime. OECD Publishing.
• Symantec. (2019). Internet Security Threat Report (ISTR), Volume 24. Symantec Corporation.