Threat Lab

While ransomware has become a buzzword for some, cyber criminals have made it a lucrative business and one which they are constantly evolving. Each day, the Webroot BrightCloud® Threat Intelligence Platform monitors, classifies and scores 95% of the internet to discover 6,000 phishing sites and 80,000 variants of malware and PUAs.

According to Webroot’s latest research, more than 97% of threats are unique to a single endpoint making traditional signature-based antivirus underprepared and ineffective in protecting businesses against today’s threat landscape. In this podcast, Tyler Moffitt, Senior Threat Research Analyst for Webroot, joins Ryan Morris, contributing editor for Penton Technology, to explain the newest and most challenging forms of ransomware, such as malvertising. In addition, they dive into the latest threat trends and arm MSPs with tested and actionable suggestions to help protect themselves and their customers from becoming another statistic.

Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 1

Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 2

After sitting down with Hal Lonas to get a deeper look at the inner workings of Webroot, there was no questioning why he’s uniquely qualified to serve as the company’s CTO. And with machine learning getting thrown around as the hot new buzzword, it was refreshing to hear Hal’s down-to-earth perspective on motivations, ideas, solutions and what drives Webroot to continue innovating in the world of threat intelligence.

……………………………………………………………………………………

Tell me about your background. What led you to create BrightCloud?

I have been developing software products for years and got into the security software space as Director of Development with Websense in 2000. At the time, websites were being classified manually, even though the number of sites and security breaches were already increasing exponentially. It just seemed like the wrong way to solve the problem.

A few of us saw the trends of cloud computing, machine learning advances, and threat escalation as an opportunity to do things differently. So we dropped out of Websense and started BrightCloud, which was founded and architected on the belief that automated classification using machine learning and the scalability of the cloud was the only way to go.

BrightCloud technology does a great job in combatting today’s threats; dynamic ones that appear, damage, and disappear. Was it built with polymorphism in mind?

We actually didn’t build BrightCloud tech with polymorphic or transitory malware in mind. We built it to bring incredible speed, scale, and flexibility to finding threats. So when polymorphism came to the forefront several years ago and started overwhelming traditional signature-based solutions, we were at the right place at the right time. There are many other security problems that BrightCloud technology solves based on the architecture and platform we’ve built, for example finding phishing and fraudulent sites in real time.

You also have to credit Webroot’s vision in combining cloud-based endpoint security with Webroot threat intelligence. Webroot endpoint technology was designed from the ground up to be cloud-based and globally scalable, to minimize the time from threat detection to global protection. Additionally, Webroot had the guts to transform the product and the company from a traditional antivirus offering to a platform-based service approach. That’s a key aspect to the entire ecosystem we protect.

How is your approach to threat intelligence different from most?

Well for one thing, we don’t generate white lists, black lists, or static feeds of data. You could use our data in that way, but the threat landscape is way too big and dynamic for that, and we offer so much more. As soon as you publish a list, it’s out of date. Security professionals need a service where they can ask questions and get security advice at the moment of truth, which is just before you click on a website, before your firewall accepts a connection from an unknown IP, or before you run that downloaded file or mobile app. That’s what we do with the BrightCloud system at Webroot. And that’s what gives our products and partners protection no one else can provide.

The way our technology works, everything on the internet has a reputation score somewhere between totally trustworthy—so a score of 100—down to clear and present danger scores of single digits. That allows our customers to set a risk threshold for activity they want to allow or block, and decide when to warn users. That’s a very different approach than others in the field are taking. When we say ‘actionable threat intelligence’, that’s what we mean; we inform critical decisions at the moment of truth billions of times every day.

What approaches do you think cybercriminals will be using in the future?

Ransomware has been very successful, so I think we’re going to see more of that. The bad guys are going to find areas where we are lazy in protecting ourselves and they’re going to exploit those weaknesses. We might find things like demands of payments simply not to attack us, almost like extortion for so-called protection.

Besides security, we might also find other business areas where we’ll be forced to improve, like getting rid of passwords for authentication, and making data backups easier and testing them to see if they work.

Also, as legacy operating systems from Microsoft, Apple, and Google get more secure, attacking them will become less easy and profitable. That means the bad guys are going to look at other areas to attack, like newer home and business devices connected to the internet. We describe this as the new and expanding attack surface area.

As more new products and devices get added to networks, it seems as if those products are being rushed to market and that security is an afterthought. In a lot of cases, many times not in the product at all when it’s released.

We observed in our quarterly threat brief that malware attacks have actually gone down in the past few months. Does that mean that the overall threat level is decreasing?

There may be a number of contributing factors here. Based on what we’ve observed, our impression is that even if there are fewer attacks, they’re more impactful. For example, a single organization hit by ransomware may struggle for days or weeks trying to recover or decide whether they should pay. Additionally, cybercriminals are taking time to regroup as security solutions get smarter and as more threats are stopped earlier by machine learning and automation. As the bad guys figure out their next move, we’ll see threats take off again, most likely in new areas.

Can machine learning help combat the threats that are keeping you up at night?

Absolutely. Not only can it help, but we believe it’s the only way to solve the growing threat problem, which is why our next quarterly threat brief will focus specifically on machine learning. Of course you have to be smart about it, and threat researchers and analysts are still key parts of the puzzle, but we’ve figured out how to leverage and amplify their knowledge and productivity a thousand-fold. As threats become more transitory and harder to find, humans are going to be even more overwhelmed and won’t be able to keep up without automation.

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

No Site is Immune to  User Information Exposure

In yet another example of poor cybersecurity, Brazzers has issued a statement regarding the unauthorized access to nearly 800,000 sets of usernames, passwords, and email addresses. The data itself lacked any encryption and was viewable in plaintext. Users of the Brazzers forums are being suggested to change their passwords for the site, as well as any sites they may have reused the password on.

Dridex Adds Crypto-Currency Wallets to Attack Vector List

While Dridex, a prolific banking trojan, has been laying low for the past several months, its authors have made significant changes. The first noticeable change is the addition of several crypto-currency wallet managers to its list of keyword searches done when infecting a new computer. By capturing and analyzing data from the infected computer, the command-and-control servers are able to make decisions on how to proceed based on the criteria that is met.

Russian Instant Messaging Service Breached

It was recently announced that over 33 million user accounts from QIP.ru, a Russian instant messaging service, had been illegally accessed and posted publicly. Unfortunately for users of the service, all of their information was unencrypted, leaving it accessible to anyone. After further analysis of the stolen data, it has again been proven that users pick amazingly simple passwords that are also used by thousands of other individuals.

Google to Begin Marking HTTP Sites As Unsafe

In a push to get all website owners to use HTTPS, Google has announced that starting in January of 2017, Google Chrome will begin flagging sites that transmit passwords or credit card information over HTTP. With this effort, Google hopes to make Internet transactions safer. Already they have had a significantly positive response with many of their top 100 sites switching to HTTPS as default.

Cybersecurity Lacking for High-Demand Devices

As we expand further into internet-connected, wearable devices, one commonality has become glaringly obvious–cybersecurity has been a low priority for many companies. As they rush to push these devices to market, there is a lack of significant testing done to ensure customers’ private information is safe. Even more worrying is this security void when it comes to connected systems in homes, as physical security for clients can be breached wirelessly if the connected system is simply shut off.

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

European Company Loses Millions in Targeted Phishing Scam

In the last couple weeks, Leoni AG, one of the largest electrical wiring companies in Europe fell victim to a Business Email Compromise (BEC) scam involving the CFO transferring a significant sum of money to a non-verified bank account. This location was likely the main target due to it being the only one of four factories that has the authorization to transfer money, and did so by spoofing an email to the companies CFO with very specific details about their internal transfer protocol, and “sent” from one of the company’s higher ranking executives.

Hotel & Restaurant Chain Warns of Jeopardized Payment Terminals

Recently, Kimpton Hotels has issued a statement that verifies the presence of malware on payment processing devices in over 60 of their locations across the country. It is believed that credit cards used at these locations in the first half of 2016 may be compromised and should be monitored for illicit transactions taking place. While the incident is still under investigation as yet another victim in a long line of large-profile targets, Kimpton officials are still unclear on the source of the breach.

Blizzard and EA Face DDoS Attacks during Releases

With the launch of the latest World of Warcraft expansion, Legion, occurring in the same week as the online-beta release of Battlefield 1, it comes as no surprise that both companies were in a prime position for a cyberattack. Unfortunately, that’s just what happened, as both companies were hit with DDoS attacks that brought several servers down for a period, and affected latency for many gamers trying to access the games upon availability.

NHS Hospitals Hit with Ransomware, Not Paying Up

In a recent study done of nearly 60 NHS institutions in the UK, over half had been the victims of at least one ransomware attack in the last year, though none had resulted in the ransom being paid. Of the hospitals that were affected, the vast majority were able to recover their encrypted data by restoring from backups that are created and stored internally. While ransomware is continuing its spread across the globe in search of easy targets, the best defense is still to have full backups of sensitive information and be prepared for what has become an inevitability for many organizations.

Hacker Exposes Poor IT Security of Kuwait Auto Import Company

While many hackers are on the lookout for a quick payday, or simply to prove they have the capabilities, one hacker has made his mission to teach poor IT admins a lesson. By breaching the Kuwait Automotive Import Company’s main site and obtaining sensitive details on over 10,000 customers, the hacker has definitely sent a message on the importance of strong cybersecurity. After the breach took place, the entire data dump was posted to pastebin, where it remains readily available to the general public.

Today, we’ll look at yet another variant in the massive crop of malware that takes users’ files hostage: Nemucod ransomware.

Nemucod is a ransomware which changes file names to *.crypted. While it’s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but one constant has remained the same – it is deployed via bogus shipping invoice spam email. The Javascript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it’s easily to modify and re-deploy. This has, for a majority, bypassed antivirus protection and spam email protection. However, a flaw was found in the encryption routine,which allows victims to recover their files.

• January 2016: Nemucod changes file names to “.crypted” but does not actually encrypt them
• March 2016: Adds XOR encryption using a 255 byte key contained in a downloaded executable. This downloaded executable encrypts the first 2048 bytes of a file
• April 2016: 7-Zip used instead which created an archive to password protect files
• April 2016: Instead of a hardcoded key, the Javascript generates a key and passes it as an argument to the downloaded executable and performs the encryption of the first 1024 bytes of each targeted file
• May 2016: A small change is added to the previous build, which encrypts 2048 bytes instead of 1024 bytes
• June – August 2016: A PHP script is used along with a PHP interpreter to encrypt the first 1024 bytes of a file

Email Example:

After opening the spam email attachment, you can see that the file located inside is a Javascript file cleverly disguised as a “.doc”. The file appears to be a .doc for users with the folder option setting “hide extensions for known file types” enabled.

Javascript Analysis:

Upon first opening the sample, it is heavily obfuscated; this is by design to thwart AV analysis and static detection

After de-obfuscating the script, I found that several compromised domains are used to store multiple files to be used later on in the execution routine. Of the downloaded files, we can see that two (a1.exe and a2.exe) are designed as a backdoor on the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the 3rd and 4th files downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter which allows the ransomware (a.php – 5th file downloaded) the ability to run.

Analysis of a.php:

We at first saw several samples of a.php written in plain text without obfuscation, but the developers changed this quickly to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.

Examples of Obfuscated ransomware variants:

chr()

To de-obfuscate, I converted all of the chr values to ascii characters and finally decoded base 64 stored to get the original script.

Array()

To de-obfuscate, I echoed the output of implode for all of the arrays (and removed eval) using the following at the end of the script:

;echo implode($f,”); ?>

De-obfuscated:

The PHP script first uses “set_time_limit(0);” to keep the interpreter running.

A recursive Tree function is used with preg_match to match folders:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache

If a match is found, the script opens the directory and checks for more directories using is_dir; if a directory is found, it runs TREE again, which continues the loop to check if the object is a folder or a file.

Once a file is found, it uses preg_match again to match its file extension:

zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso

Once a file matching the file extensions above is found, it stores that file name and path as the variable “$fp” and a new variable is made “$x” which uses the function fread.

fread() reads up to length bytes from the file pointer referenced by handle.

After reading the first 1024 bytes of a file, a for loop is used with strlen and the variable $k (a base 64 string) to encrypt the files.

If you have found yourself a victim of this ransomware, please submit a support ticket.

We all know that Internet of Things (IoT) is the future and that everything from your refrigerator to your toaster may eventually connect to the internet. With that being the case, it’s important to remember that these connected devices need to be designed with security in mind. On Saturday at the Def Con hacking conference in Las Vegas, Andrew Tierney and Ken Munro showcased a ‘smart’ thermostat hack, in which they were able to install encrypting ransomware onto the device, fortunately just as a proof of concept. Check it out:

The hacked thermostat (displayed in the screenshot above) runs a Linux operating system and has an SD card slot for owners to load custom settings and wallpapers. The researchers found that the thermostat didn’t check what files were being loaded or executed. Theoretically, this would allow hackers to hide malware into an application that looks just like a picture and fool users into transferring it onto their thermostat, which would then allow it to run automatically. At that point, hackers would have full control of the device and could lock the owner out. “It actually works, it locks the thermostat,” Munro said. This achieves the predictions of others in the security industry.

Despite the above tweet, Tierney and Munro declined to confirm the brand of this particular thermostat that they hacked. Because this test was so new, despite the vulnerability being showcased, the reserachers haven’t yet disclosed the vulnerability to the manufacturer, but the plan is to disclose the bug today. They also said that the fix should be easy to deploy. While this ransomware isn’t an immediate threat to anyone using smart devices in their homes today, the point has been proven that it’s very possible to create ransomware for these new and emerging IoT devices. “You’re not just buying [Internet of Things] gear,” Tierney warned, “You’re inviting people on your network and you have no idea what these things do.”

Encrypting ransomware is so popular now that competitors will sabotage one another to get the upper hand. This is refreshing for victims, however, as they reap the benefit of these potential clashes between cybercriminals. ‘Chimera Ransomware’ has just had its keys leaked to the public, which is fantastic news for anyone who has been a victim of this ransomware.

@JanusSecretary  (presumed author of Mischa and Petya) was quick to tweet the news:

The keys are linked here which is a zip of the text file with over 3,500 keys. Below is a summary of the leak, where it is explained that Mischa used Chimera sourcecode. While the authors of Mischa and Chimera are not affiliated, they did get access to big parts of Chimera’s development system.

This allowed access to the decryption keys that have now been released. With these keys now released, it shouldn’t be too much longer before a decryption tool is created for all the victims of Chimera.

Also included is a shameless plug for his RaaS (Ransomware As A Service) portal, where anyone can create new ransomware payloads.

For any successful ransoms that result in payment, a cut will be taken by Janus based on how successful the ransoms are. For a complete rundown on RaaS variants check our our blogs on Ransom32 and Encryptor RaaS samples.

When it comes to drive-by attacks, CryptXXX is king. In fact, out of all the exploit kits dropping payloads on victims, 80% result in CryptXXX. The creators attacked vulnerabilities in Flash Player, Java and Silver Light through using the Angler exploit kit, with malvertising helping boost their success. The malware authors were able to generate $3 Million per month almost exclusively from ransomware.

But how exactly does malingering work? In a nutshell, cyber criminals submit booby trapped advertisements to ad networks for a real-time bidding process. Malicious ads then rotate in with normal ads on legitimate, highly reputable sites. Users then visit these site and click on an infected ad. An invisible iframe injection then redirects the user to the exploit landing page, where a payload is then dropped. Here’s an example:

Since Angler was shut down earlier last month, CryptXXX was presumed to also die with it. However, it’s taken new life with the Neutrino exploit kit, and can now exploit out of plugins like WordPress. Here’s how this looks:

Once a user is unlucky enough to click an infected ad, a ransomware payload is dropped and they become the victim. Here are the instructions that are presented to victims. Pictured below, they are presented the form of a desktop background:

Once a user’s files are encrypted, the steps are the same as most ransomware – install a layered tor browser, then pay the ransom using bitcoins. This variant specifically only asks for 1.2 bitcoins ($800), which is the most ‘mild’ demand of recent ransomware variants, but the amount will double after 5 days if the ransom isn’t paid. It is worth noting that other sites have offered free decryptors for this malware, but they seldom last longer than a few days before the malware authors change it up yet again.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new and updated ransomware threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 analyzed

75EF6891AE7214AD17679CB88DC3B795

7BB58C27B807D0DE43DE40178CA30154

05825F3C10CE814CE5ED4AE8A74E91A2

Cerber is yet another newer ransomware that has been gaining some traction over the past couple months, so we’re providing a breakdown of this new variant. First, here is how it looks:

Unlike some other ransomware variants, Cerber is certainly not going for aesthetics. It also lacks any type of GUI. However, it does change your background to an awful pixelated image of static that’s not comfortable to look at, but it achieves its goal of getting the victims’ attention.

The ransom text is quite extensive and attempts to answer as many questions as the victims might have. The end goal is to get the user to follow directions to install a layered tor browser so they can access the dark net and pay the ransom with Bitcoins. This is what the ransom portal looks like:

This Cerber variant specifically wants 2 BTC, which is a huge sum of money (around $1,300) compared to variants seen in the past. As with older types, there is a ‘late fee’ that doubles the ransom if it isn’t paid in the original time frame. It appears that this trend of charging more money is new and is continuing to catch on. Also included with Cerber are “freebies”, which means that you get one free decrypt of a file. This was introduced by coinvault in 2014 to great success, so now almost all ransomware types include it.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed:

c3cd90c3e406981bece559a43fe64414

383803a90293408e36063809319f5982

065033243f30b1e54241a932c5e706fd

CrytpoMix has been gaining some traction over the past few months, so it’s a good idea that we provide a rundown of this variant in the ransomware family.

This is ‘barebones ransomware’, so victims aren’t presented with a GUI or a desktop background change. All that is presented is a text file and webpage showing the same text.

This is one of the FEW ransomware variant that doesn’t have some payment portal in the darknet. There is no need to download any tor browser, as they don’t provide any onion links.

With this variant, victims literally have to email and wait around 12 hours for a response and those responses are encrypted and password protected (to protect the bitcoin wallet address the cybercriminals want payment to be made to).

Example response:

While CryptoMix isn’t fancy, it’s price sure is. 5 BTC (Bitcoin) is an insane amount of money (>$3000), and it wasn’t a few months ago that ransom increases to $700 were all the rage. Also, these criminals even claim that you’ll receive free tech support and all your ransom money goes to a child charity. Please do not be fooled.

Registry Entries added

» HKLM\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
» HKLM\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader UpdateSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Adobe Reader Update32
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobeFlashPlayerSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*AdobeFlashPlayers32
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeFirstVersionSoftWare
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeLicensionSoftWare

MD5 hashes analyzed :

b778bda5b97228c6e362c9c4ae004a19

a0fed8de59e6f6ce77da7788faef5489

Webroot will catch this specific ransomware in real time before any encryption takes place. We’re always on the lookout for more types of threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files (up to ten previous copies). Please see our community post on best practices for securing your environment against encrypting ransomware.

If you’ve ever been infected with serious malware, you may have assumed the culprit is a person sitting in the basement of their mom’s house, or a small group of people huddled in a garage somewhere. It’s really not that simple.  There’s a whole global cyber underground network that’s working diligently to make all this happen for you. It’s the lucrative cyber black market. Mostly everyone has heard the term “black market” at least a few times. It’s referenced in many movies and is often heard on the news when speaking of criminal activity and the purchasing of illegal materials or services.

Malware-as-a-Service is a prosperous business run on the black market that offers an array of services and isn’t just limited to malware or bits of code. And you don’t have to be a computer expert either. Anyone can purchase code that will cause harm to a person’s computers or even hold it for ransom. But once purchased, what are you going to do with it? How will investing in this piece of malware return a profit? There’s still the challenge of getting it out there, getting your potential victims to run the payload for the newly purchased malware on their computer. And most importantly, cashing out on the investment. This is where the entire business model of Malware-as-a-Service comes into play.

It’s all offered in the cyber black market and functions no different than the global markets we hear of. Due to its low key nature, it’s difficult to say exactly how much money is generated from Malware-as-a-Service in this market. But it would be no surprise if it stretched up into the billions.  In this market it’s possible to purchase all the necessary pieces to make it as easy as possible for the investors to profit.

First level: The highly skilled elite programmers or engineers who write malware, develop exploits, and are general researchers. This can be an individual or individuals working together.

Second level: Here are the spammers, botnet owners, distributors, hosted system providers. These people are also skilled, but not always elite. This is where the distribution is handled

Third level: The money mules, treasurers, financial data providers.

These three levels fall under the umbrella of Malware-as-a-Service that can be sold and purchased as an entire package or individual services by a vendor.

The individuals involved aren’t always strictly black hat. There are also grey hat hackers, otherwise known as freelancers who are simply looking to make a profit. A programmer can sell a zero day exploit to the vendor of a software as a bounty. However that same exploit might be able to fetch a far greater profit if sold on the black market. A perfect example of this is Facebook, who offers a minimum of $500 for anyone who can hack their site. With over 700 million users, a Facebook exploit can sell for a pretty hefty price in the black market. As malware becomes more profitable this type of business model will continue to grow.