Menu Close

How are cyber criminals evolving their business models?

At Kloudwerk, our services are built on people. We offer a cyber expert to build a relationship with your IFA firm on a one hour, monthly basis. This way, we can assess the holistic cyber security risks which face your firm.

How are cyber criminals evolving their business models?

We often talk about cyber criminals in our insight articles, but who are they and what are they up to? Are they really as innovative as their ethical and legal counterparts?

What do we mean by cyber criminals?
Cyber criminals are the threat actors behind organised crime, which is responsible for 80% of all data breaches. In this article we will focus on a particular cyber criminal group behind organised crime, FIN7, and cover some of their business models and tactics.

FIN7 is an international cybercrime group leading the organised crime scene. According to the Department of Justice, FIN7 has been linked to financial losses in excess of $3 billion.

They started their cyber hacking journey in the USA by breaking into companies and stealing payment card information. The group then uploaded the data onto the dark web for sale. The significant return from these activities started to decline when banks introduced new technology to increase the security on their credit cards, specifically the chip. The reduced returns meant FIN7 needed a new business model.  

Ransomware for sale?
FIN7 rebranded itself into a Software as a Service (SaaS) provider – developing and selling ransomware to other cyber criminal groups. (Ransomware is software which encrypts a firms data and demands a payment of anything from a few hundred to millions of dollars, before releasing a decryption key to unlock the files.)
The ransomware market quickly turned into a highly lucrative industry where a single ransomware attack could offer returns in excess of 8 figures.

Offering the ransomware to other hackers, FIN7 marketed their very own product called DarkSide. The product was first observed in the market in August 2020.

DarkSide was the ransomware behind the Colonial Pipeline cyber attack in May 2021. It was the largest cyber attack on an oil infrastructure target in the history of the United States. Colonial Pipeline paid the requested ransom (75 bitcoin or $4.4 million) and with help, were eventually able to recover approximately $2.3 million from the ransom payment.

By becoming an intermediary, FIN7 were able to limit their risk as other groups would be responsible for compromising organisations, deploying the ransomware and communicating with victims for payment. FIN7 would typically get commission on each successful ransomware payment.

“DarkSide was very profitable for FIN7 earning almost US$7 million. The
economies of scale achieved from the ransomware product was a major
turning point in FIN7’s evolution as a leading cybercriminal

The returns offered them new cyber crime opportunities, however, they had a new challenge to overcome before this could be achieved, recruiting skilled people.

New tactics: “hiring” tech talent using an alias
To remain a market leader in ransomware and evolve its illegal products, FIN7 needed to recruit new tech savvy people. The typical recruiting ground of the dark web was littered with undercover authorities posing as potential hackers seeking employment opportunities with criminal organisations.

FIN7 decided to innovate. In order to recruit from the same talent pool as legit tech companies, FIN7 created a fake security firm called Bastion Secure. Using a copied website and details of the genuine UK based Bastion Security firm, FIN7 set itself up to start the recruitment of tech professionals.  

Advertising on the open internet, “Bastion Secure” posted generic IT positions on real job seeker boards in Russia and the Ukraine. They offered a 9-5, Monday to Friday role in an effort to appear legitimate, it worked.

Their plan was simple, knowing the recruitment process for genuine tech companies, Bastion Secure moved potential candidates through a 2-stage interview process before tasking them with a technical skills assignment, which in reality was a genuine cyber attack on an unsuspecting business. The candidates had no idea they were actually participating in an illegal cyber hack.

A candidate’s story
One particular candidate that was lured to the fake site and tech role disclosed how the website and job description appeared unremarkable, nothing that would alert you to one of the world’s most notorious cybercriminal organisations being behind the ruse.

He stated the hiring process was somewhat unorthodox and eventually started to raise his suspicions that something wasn’t quite right.  

Bastion Secure conducted the process without any face-to-face meetings, not even a phone call. All correspondence was through encrypted messaging using the applications Telegram and Talkz.  

For the final assignment, Bastion Secure instructed him to connect to a client (an unsuspecting business) and run software on the client’s network. The candidate realised the software he was deploying was ransomware, and therefore connected him with illegal hacking. He shared the software with researchers who were able to connect it to FIN7.

Bottom line
This interesting story reveals that our perceptions of cyber criminals hiding in dark corners of the internet are being challenged. They are creating novel methods and tactics to continue their cyber criminal activities, often replicating the models which traditional businesses use or in some cases, being more innovative.

Your business digital footprint is becoming increasingly exposed to highly sophisticated and motivated cyber criminals. Are you prepared to deal with the cyber threats of today?

Kloudwerk works with you to help you keep the cyber criminals out. We offer affordable cyber security consultancy packages for business customers. Visit our Cyber Consultancy page for more information


On Key

Related Posts



Imagine you own a house and want to add an additional floor. First you have to review and strengthen the foundations. This service builds cybersecurity foundations to facilitate growth in a resilient, timely manner.

This service will also provide the company with a cybersecurity risk assessment and improvement plan but with significantly more support from a senior consultant to help the company embed improvements in a continuous, timely manner


The dreaded car MOT is looming. It’s the unforeseen wear & tear that results in some necessary annual maintenance. Our cybersecurity review will highlight what needs to be done as your engineers.

In addition to the context gathering stage and security footprinting service, a senior consultant will perform a risk assessment to understand the company’s cyber risks and provide recommendations. They will also be available to undertake monthly calls for answering questions, providing guidance and checking on whether risks are reducing.


You’re embarking on a more active lifestyle, chosen to go on a diet and get in shape. Think of this service as the cybersecurity equivalent of the personal trainer, helping you along the way.

After an initial context gathering stage, a junior security consultant will be available once per month to answer questions and provide recommendations based on company goals and activities. A cybersecurity footprinting service will allow the company to continuously monitor its external security posture.

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.