The malware markets contain everything from simple software programs to crack passwords to companies offering governments a one stop shop for surveillance and espionage. Some of these products are highly valuable; one company, Zerodium, advertises a $1.5 million payout to anyone willing to sell zero day vulnerabilities in Apple’s iOS operating system. NSO Group, an Israeli company that was caught having sold surveillance malware to the UAE to monitor human rights activists, has been valued at more than $1 billion. Alongside this big business are groups that lease access to ransomware and rent time on botnets for just hundreds to thousands of dollars a week. This dichotomy in prices and offerings has helped create a two-tiered market, with a larger lower level conducting business in online marketplaces, and a small upper level working through social networks and encrypted communications.
The markets encourage specialization so that certain criminals build an entire business around developing, maintaining, and selling different kinds of malware and criminal services to give their customers up to date access to massive number of potential targets. Imagine an attacker who stumbles upon the leaked source code for a piece of malware like Zeus or a sample of ransomware and rents time on a ready-made exploit kit or botnet to distribute it? Without ever writing a line of code, a criminal is born.