Cyber crime groups of all sizes are putting around 80% of their operating expenses toward paying their workforce, according to a recent report by Trend Micro. The percentage goes up slightly as the group grows in size, but even criminal outfits of just a few members are seeing about 78% of their costs go to payroll.
The situation reflects an increasing adoption of a professional corporate-modeled structure among cyber crime groups, who now often have a core of employees that report in for regular shifts and are even overseen by human resources departments.
Cyber crime groups going “office space” in quest for higher profits, smoother operations
The largest cyber crime groups, those clearing tens of millions of dollars in profits, can end up devoting somewhere between $150,000 to $200,000 to paying employees and contractors each month. The wages paid are competitive with those offered to IT professionals in similar roles in legitimate companies; in the Russian market that’s about $2,000 per month for a software developer.
One might think that cyber crime groups would offer the ultimate in work-from-home scheduling, but that isn’t necessarily true with the larger outfits. The regular salaried employees are sometimes expected to show up to an office that the group rents, which can account for tens of thousands of dollars in added operating expenses each month. They also work schedules that are equivalent to those of their corporate counterparts, sometimes putting in even longer hours.
Ultimately, these operating expenses are trivial next to what these groups steal from victims, and are worth their weight in gold in terms of keeping the operation running smoothly and without surprises. The general rise in attack sophistication is also likely attributable to cyber crime groups increasingly operating on these models.
Criminal operating expenses dominated by labor costs
Cyber crime groups with 49 or more members devote the largest share of operating expenses to payroll, and are the size at which multiple layers of management begin to be implemented. The smaller end of these groups may still have one leader making decisions for the entire operation, but the largest outfits often have multiple independent managers that run specific aspects with at least some autonomy. This is also where you start to see formal departments that reflect legitimate business structures, such as accounting and human resources. And while recruiting and client acquisition is usually a side duty for other groups, the larger groups may have a dedicated team devoted to it.
But though one of the purposes of this “incorporation” is to stabilize the operation and allow for more complex attacks to be pulled off, the report also finds that growth corresponds with increasing instability. More employees and contractors means more potential sources of leaks when someone becomes disgruntled or there is an intra-office political schism (as happened to several ransomware groups when leadership pledged support for the Russian invasion of Ukraine). Cyber crime groups also do not enjoy the legal protections and team-building benefits that legitimate organizations get when they structure in this way.