Finding Utility in the Dark Economy—and Mitigating Its Dark Side

Economic principles have a funny way of showing up in unexpected places. To highlight the often scoffed at importance that branding plays in the purchasing decisions of a consumer, Thomas Sowell wrote in Basic Economics that “Brands are a way of economizing on scarce knowledge, and of forcing producers to compete in quality as well as price.”

He emphasizes this power that brands have by including a report from The Economist on a peculiar situation in the Soviet Union in which branding was not available for assisting consumer decisions. To adapt to their economic conditions, “consumers learnt how to read barcodes as substitutes for brands in order to identify goods that came from reliable factories.” Amazingly, as Sowell concludes, the Soviet consumers effectively created brands for their own benefit.

Similarly peculiar instances of economic phenomena also occur within the halls of the dark web, but before they can be evaluated, a definition is in order as most are familiar with the term but ignorant of its specificities. The traditional web, or “clear web,” consists of web pages delivered to clients from web servers that are able to be indexed by search engines. This indexing allows search engines to serve up pages based on a given search query. There is a choice involved in whether to allow a web page to be indexed, resulting in what is known as the deep web, or all the resources on the internet not accessible to the web crawlers doing the indexing, such as content behind a sign-in page or a paywall, medical records, or confidential corporate web pages. This content is so prolific that estimates put it as being between 96% and 99% of the entire internet.

The dark web is a subset of the deep web and requires special software to access. This software allows a user to access the anonymizing network known as Tor (the onion router). This network routes web traffic through a series of proxy servers operated by volunteers. This special way of routing internet traffic effectively results in a user’s identity being untraceable (although there theoretically are ways to expose the activity of someone using Tor), making it the perfect tool for ne'er-do-wells or web users in totalitarian states in which the clear web is heavily monitored and censored. Content is posted on the dark web through servers that lie within the Tor network called hidden services (aka onion addresses like the official Facebook hidden service URL facebookcorewwwi.onion).

Not everything on the Tor network is malicious or illegal. As mentioned above, users can enter it to access Facebook or other content providers that may be blocked in their country. This was actually the original intention behind the network: provide an anonymous communication channel that allows for unfettered speech. Even the CIA has their own Tor hidden service, which makes sense since the Tor network was funded during its inception by the Naval Research Lab and Defense Advanced Research Projects Agency. More credence is given to the usefulness of this shadowy network by the fact that even the United States government is among its users.

Defining the Dark Economy

In the emerging dark economy (an ecosystem consisting of hackers on the dark web, the malicious tools they develop and sell, and their unfortunate victims and their stolen data) there are a myriad of fascinating economic principles and profit generation mechanisms at play. Cryptocurrency acts as the system’s unofficial designated currency, à la the dollar or euro. In this vein, it allows “a merchant [to] sell his or her goods and have a convenient way to pay their trading partners” by acting as a “universal store of value.” There are also features seen within the e-commerce space, such as seller reviews, shopping carts, consumer forums, and accounts that you use to log in and shop.

An interesting development in the world of hackers is the proliferation of ransomware as a service (RaaS) operations. This new business model is similar to the popular as a service offerings in the IT world, such as software as a service, where a vendor provides a full-fledged application to a customer that is accessible through the internet, or infrastructure as a service, where the vendor offers a customer access to computing resources in a similar way. For ransomware as a service, the vendor (ransomware developers) leases their ransomware to customers (hackers doing the initial compromise of the target’s network) so they can deploy it in their attack without spending the time or developing the skills to produce a sophisticated ransomware program.

This division of labor, where a complex task is broken into sub-tasks through specialization, is a major factor fueling the explosion of recent ransomware attacks because “a given number of workers can produce far more output using division of labor compared to the same number of workers each working alone.” The global estimated cost of ransomware attacks in 2020 was $20 billion, up from $8 billion in 2018 and $11.5 billion in 2019. This steep increase was due in part to the rise in the average ransom payment made, cost per ransom incident, and cost of downtime per incident. Ransomware continues to top the list of cyber threats and will remain there until it becomes less convenient and profitable for attackers.

In these ransomware as a service operations we not only see similar e-commerce features, like product bundle offerings and advertisements, but also common as a service perks such as user communities, documentation, feature updates, 24/7 user support, white papers, videos, and an active Twitter presence. Commonly seen revenue models used by these shady “businesses” consist of monthly fees, affiliate programs, licensing, and profit sharing. DarkSide, the ransomware used to infect Colonial Pipeline’s IT systems, is an example of an RaaS group.

The governments and businesses often targeted by hacking groups also play a critical role in the dark economy. Because their data is highly valuable, whether it be personally identifiable information (PII) of their customers or intellectual property vital to research and development, these organizations are willing to pay a high price to get it back and prevent its release on the dark web. They are also willing to pay up to get their systems back up and running as every minute of lost revenue is costly. This principle of supply and demand takes a few different forms in the dark economy. When the ransom price associated with getting access back to systems and data after an attack is the subject, the victim acts as the demanding party and the criminal is the supplier. The more valuable the data, the more the victim is willing to pay. When the subject is the initial value of the data or systems in question, the level of supply is set by the unwilling targets of the attack and the demand is generated by the malicious seekers of the resources. The interplay between these two opposing entities is worthy of contemplation as solutions to this ransomware problem are evaluated.

Lowering Supply and Increasing Costs

Despite the positive use cases that the Tor network has, it still contains much of the malicious activity and collaboration that manifests in devastating hacks affecting data, infrastructure, and prosperity. It is to be expected that there is bad behavior in any human endeavor, but taking time to analyze how these malicious actors interact with each other and their victims is eye opening because it reveals a very logical and predictable operation. Human nature does not change just because decisions are made within an unconventional medium such as the dark economy. By using the power of incentives, cost, demand, and supply, decision makers can better inform their efforts to counter the malign influence that this hacker network has over the lives of the American people.

The first step that businesses, internet users, and governments must take is to limit the supply of their data. For the most part, hackers are opportunistic. They are looking to catch the slowest and weakest prey they can find. If too much resistance is put up, they will usually abandon the chase and identify another target. Therefore, it is vital that proper and fundamental security defenses—like deploying reliable endpoint protection tools, frequently performing backups, training users to spot phishing emails, and rigorously patching—are put in place before an attack originates. Implementing a sound cybersecurity plan is going to limit the profitability of these hacking operations by making it harder for hackers to get to the prize they want.

Businesses must also limit the supply of ransom payments that are constantly being forked over to these ransomware operators. If the proper mitigation steps are taken, the threat of ransomware is diminished to a point where paying a ransom is unnecessary. Unfortunately, most businesses are playing catch up. Newsworthy ransomware attacks where large payouts are made, such as $4.4 million to DarkSide from Colonial Pipeline, $11 million to REvil from JBS, and a potential $70 million to REvil again for the ransomware attack on Kaseya and its customers over the July 4th weekend, only help to fuel the greed of these cyber criminals. If the market for these paydays remains hot, ransomware gangs will continue to rake in the cash.

It is also important to impose costs on these cyber criminals to reduce the demand for conducting cyberattacks. If hackers are going to be met with the full force of the United States’ government, they will think twice about going after American targets. It is key that these criminals are brought to justice because not only does it impose unbearable costs on existing groups, but it also deters would-be actors from pursuing the same path, a vital aspect of criminal justice. Unfortunately, the recent brazen attack on Kaseya by REvil proves that these groups believe there is little cost associated with their actions. Not only was this supply chain attack undertaken after the other high profile SolarWinds supply chain attack, but it was also conducted by the group behind the high-profile attack on JBS. Reducing the demand for these hacks with concerted law enforcement efforts will be just as pertinent as reducing the supply of ransom payments and vulnerable data.

Human behavior is made up of choices, and these choices are always trade-offs informed by incentives. Currently, the incentives for cyber criminals are leading them to steal data and disable infrastructure belonging to the American people in order to receive a ransom payment for their troubles. If the tide is to be turned against these enemies of American prosperity, the economic principles of the dark economy should be carefully considered, as they hold the underlying key to understanding the why and how of the problem.