Experts at Kaspersky have been investigating various computer incidents on a daily basis for over a decade. Having been in the field for so long, we have witnessed some major changes in the cybercrime world’s modus operandi. This report shares our insights into the Russian-speaking cybercrime world and the changes in how it operates that have happened in the past five years.
We overview what kind of attacks are now carried out by cybercriminals and what influenced this change — including such factors as changes in vulnerability market and browser safety. We also review what pushed cybercriminals to transform their operations into the now well-known malware-as-a-service model — the use of cloud servers, the decreasing relevance of custom malware and the subsequent emergence of small, agile teams. Lastly, we analyze the targets that cybercriminals select these days as opposed to a few years back, the reasoning behind them and criminal-to-criminal services offered on the dark web.
While this report is primarily focused on cybercriminals that operate on Russian territory, cybercriminals rarely restrict themselves to national borders — with ransomware gangs being a prime example of such cross-border activity. Moreover, trends that are visible in one country, more often than not resurface in other places and among new cybercriminal gangs. This report attempts to shed light on the changes in cybercriminals’ operations that we deem important — and actionable.
Incident analysis
Kaspersky’s Computer Incident Investigations Department specializes in attacks by Russian-speaking and Russia-based cybercriminals. The services we offer include incident analysis, investigation and post-incident expert support, all directed at preventing and mitigating the consequences of cyberattacks.
Back in 2016, the primary focus of our expert was on major cybergangs that targeted financial institutions, banks in particular. Big names such as russian speaking cybercrime evolution changed
