The Vast Underground Malware Economy

November 1, 2017 Emily Davidson

Modular development, regular feature upgrades, online reviews and first class technical support: if you think these are the bread and butter of software manufacturers alone, it’s time to think again.

According to Christopher Budd, Global Threat Communications Manager at Trend Micro, “These are now common practices among today’s thriving underground malware economy.”

Long gone are the days of teenagers crafting the latest threats in dark basements and blasting them into the wild. Today, companies face a vast underground malware and ransomware economy comprised of organizations and networks as complex and capable as the mainstream software vendors they target every day.

In our latest interview, Budd reveals the shocking scope of today’s underground threat economy and some practical ways organizations can protect themselves from this growing threat.

Malware has become a fully mature and robust shadow software company

“It’s a sophisticated ecosystem consisting of sales, customer support, testing and advertising,” Budd says. Much of the malware available on the underground market today has professional aspects -- such as modular development and regular upgrades with new features -- that draw from the best practices of legitimate software development companies and services.

“We’ve seen underground sales forums with banner ads boasting malware that have been tested and guaranteed to be undetectable by the latest top enterprise security solutions. Malware often comes with technical support, including online chat, that’s often better than the support you get with legitimate software.”

If you’re familiar with eBay and, you know the value of positive online customer feedback. Budd describes the malware economy as dependent on positive word of mouth -- often so valuable for advertising purposes that organizations willingly exchange millions of stolen records for nothing but positive feedback on peer-reviewed malware market boards.

And it works. As Budd reveals: “Hackers save tremendous amounts of time and resources by purchasing malware from underground markets. When they do, they receive capabilities much more sophisticated than what they could have ever built alone.”


Ransomware, in particular, is one of the most powerful, sophisticated and pernicious forms of malware ever devised -- on both the technical and social engineering sides.

“Today’s ransomware often incorporates deadlines that give the victim, say, three days to pay a ransom or have the encryption key that unlocks their stolen data destroyed,” says Budd. These deadlines create a sense of urgency in the victim that often leads to a hasty decision to pay the hackers and get it over with.

Since many ransomware threats require payment through Bitcoin, hackers even offer chat support to help the victim set up a payment method using this untraceable cryptocurrency.


“Eighty percent of malware today infects five or fewer systems. Much of what we see is designed to alter as it works so that one person may get hit with a different version of the same malware multiple times,” Budd says. Which means that traditional static defenses can no longer meet such a threat. He continues, “Instead, it’s important to focus on strategies and solutions that employ heuristics [non-perfect yet agile approaches] and other intelligent defenses that adapt continually to changing attacks.”

Budd describes a multilayered defense with adaptability, intelligence and defensive strategies like effective backup, that lie outside the realm of security-focused solutions. With a robust backup strategy that can get the CEO up-and-running with zero effective data loss in an hour, there’s nothing to worry about from ransomware.

“It’s important to have a full awareness of all the things touching your data. Defense today is all about protecting the data, not the perimeter, devices, and networks.”

Usability and comprehension are also key requirements in any security solution. A solution that boasts comprehensive protection but is impossible to configure and use is flawed. “If you can’t set up an advanced solution properly, you’re just as much at risk as you are with a less capable solution,” Budd says.

Finally, testing and drills are the best way to know how well your defenses are working. For example, say the CEO’s laptop was just stolen, you need to test how effectively you can replace it with everything intact.


What to do if your information gets hijacked

If you’re attacked, Budd advises you to go back to training. “Assess the situation, determine exactly what happened, what the malware is doing and the technical specifics involved. Disconnect affected systems from the network to prevent it from spreading. If the attack employed ransomware, look for a backup and recovery solution,” he says.

He also advises that if you can’t take systems offline without disrupting the business, to make sure that you find and test solutions and strategies that can assess, isolate and address the issue and the specific systems involved while the business continues to operate normally. “Most organizations should be at the point where they can handle an incident or compromise to a certain level without a total shutdown.”

Every attack is different, but Budd’s universal advice is, don’t panic.

Previous Article
Deciphering the Crypto Wars
Deciphering the Crypto Wars

Next Article
The Trouble with Ransomware
The Trouble with Ransomware