Close this search box.

What Motivates Cybercriminals to Run Malware Campaigns?

Cybercrime is a lucrative market that cost U.S. businesses nearly $7 billion in 2021. With ransomware continuing to run rampant and ranking as the most concerning cyber threat for CISOs, having full understanding of the hidden risks that cause ransomware is becoming top-of-mind for enterprises in the fight against cyberattacks.

A common precursor to ransomware is the deployment of infostealer malware infections, which allow criminals to steal information at scale while remaining hard-to-detect. Infostealers siphon credentials, web session cookies, auto-fill data, and much more from infected devices, which bad actors use in anti-detect browsers to log into employee accounts, gain access to corporate resources and data, encrypt files, and launch ransomware attacks. Malware proves to be a challenge for Security Operations (SecOps) teams who are fighting an uphill battle to try and protect the broader business from these threats.

SpyCloud has been disrupting cybercrime for the last six years, and we’ve encountered all manner of motivations when it comes to cybercriminals launching these insidious malware campaigns. While money is the most obvious and common motivator, there are various other ways that cybercriminals can profit from malware:

Show Me the Money: The #1 Way Bad Actors Profit from Malware and Ransomware

Underground Criminal Marketplaces

There are a number of robust bot marketplaces where criminals sell and shop for stolen digital identities, including Genesis, 2easy, and Russian Market. According to our findings, as of February 2022 there were more than 430,000 stolen identities for sale on Genesis Market. These markets list, among various items, browser fingerprints that provide all of the login, IP addresses, session cookies, and system details necessary to plug into an anti-detect browser to mimic the victim with minimal effort.

Criminal Forums

Like criminal markets, forums accessible on both the clear web and dark web also cater to a data-for-profit model, allowing users to list vast tranches of malware-siphoned data for sale. Similarly, groups on messaging services like Telegram and Jabber cater to specific communities, including those interested in the sale of data and access. Unlike criminal markets, buying and selling on criminal forums is typically done in a peer-to-peer fashion and often allows greater flexibility in regards to the type of data or access being sought.


Certain operators provide Ransomware-as-a-Service (RaaS), a business model that enables affiliates to pay for access to an operator’s proven software and tactics – and even access support services and a portal or dashboard with reporting in some cases. It’s everything needed to instigate ransomware attacks in exchange for a percentage of a successful ransom payment. 

Big Fish: Ransom Payments

When malware-siphoned data leads to ransomware attacks, the demanded ransom payment is a lucrative source of revenue for bad actors. The 2022 SpyCloud Ransomware Defense Report found that 65% of victim organizations end up paying the ransom. In some extreme cases the ransom request is in the millions – examples are LockBit which has demanded over $100 million from its 1000 victims around the world and an instance of REvil demanding $70 million in crypto currency. It is possible, and most times probable, for the ransomware victim to pay and still not be able to fully recover the lost data.

Other Motivations for Malware Campaigns


Over the course of the last several years, stolen access to applications and networks has been leveraged with increasing frequency for social or political motivations, aka “hacktivism.” The goal is often bringing awareness to particular issues or attempting to bring down an organization or government entity the actors believe is doing harm – but private businesses and individuals aren’t immune.


State-sponsored bad actors execute sophisticated campaigns supporting their geopolitical objectives, whether motivated by duty or financial compensation. Often this includes espionage against political groups and governments and attacks on critical infrastructure. It is common for nation-state actors to deploy malware with wiper capabilities to destroy systems and files rather than demanding a ransom payment.

Thrill Seekers

The much-publicized $LAPSUS group could be considered an organization that prioritizes notoriety over profit. While billed as a criminal extortion group, $LAPSUS has been identified by security researchers in attacks with little or no monetary gain, seemingly desirous more of the fame and press coverage than any financial benefit of committing criminal intrusions.

How To Reduce Your Risk of Malware Infections That Lead to Ransomware Attacks

No matter what the reason, malware campaigns put enterprises at risk for follow-on ransomware attacks.

And despite implementing multiple layers of defense, ransomware still runs rampant. To prevent ransomware attacks that result from infostealer-siphoned data, enterprises need to close the gaps in their defenses. One commonly overlooked defense is remediating the applications whose credentials and/or cookies have been stolen by malware. Having insight into that data and a clear, swift plan of action to mitigate the effects of that stolen authentication data limits the risk that a malware campaign affecting an employee, vendor or contractor can be used to cause further harm to the business.

However, the “old way” of identifying a malware infection and wiping the device is no longer sufficient, as the data siphoned off the machine is likely already being traded or sold on the darknet to aid additional attacks. And the “old way” of remediating only corporate-issued devices is also no longer enough, when much of the workforce is accessing corporate applications, such as sales databases, password managers, HR systems, collaboration tools, and even security products on personal, unmonitored devices – whether or not that’s sanctioned.

If you can’t fix what you can’t see, what is a SecOps team supposed to do?

We recommend Post-Infection Remediation (PIR), a series of additional steps in a malware infection response framework designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware. It relies on having visibility into malware-stolen data, but with that in hand, PIR lets you fully remediate a malware infection beyond isolating and wiping the device – extending remediation to affected third-party applications. The goal is to prevent a malware infection from becoming a full-blown security incident.

Compass helps enterprises combat these precursor infections by identifying definitive evidence of malware-infected devices, including exposed users and applications that cybercriminals use to walk right into your network. SpyCloud helps enterprises:

Learn how SpyCloud can help reduce your risk of ransomware attacks that result from malware infections using recaptured darknet data.
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.