Kaspersky Digital Footprint Intelligence experts analysed botnet sales on the dark web and shadow Telegram channels and discovered that attackers can acquire ready-made solutions starting at $99. Besides one-time purchases, botnets can be hired or acquired as leaked source code for a symbolic price. In some cases, custom botnet development is also available.
A botnet is a network of devices infected with malware, ranging from smart toothbrushes to advanced industrial internet devices that attackers use to organise automated mass attacks such as DDoS. “Mirai is one of the most infamous examples of a botnet. It scans the internet for IoT devices with weak default passwords, uses a set of known default credentials to gain access, and infects them. The infected devices then become part of the botnet, which can be controlled remotely to perform various types of cyberattacks,” explains Alisa Kulishenko, security analyst at Kaspersky Digital Footprint Intelligence.
Botnets like Mirai are created by cybercriminals to sell and have individually tailored infection processes, malware types, infrastructure, and evasion techniques. The fraudsters sell them to other criminals on the shadow market, with botnet prices depending on quality; this year the lowest offers started at $99 and the highest reached $10,000.
An example of a dark web offer featuring a botnet for sale
Botnets are also available for hire. Prices range from $30 to $4,800 per month. “Potential earnings from attacks using botnets for hire or sale can exceed the associated costs. They allow for activities such as illegal cryptocurrency mining or ransomware attacks, and more. Open sources report that an average ransom payment is two million U.S. dollars! In contrast, renting a botnet costs significantly less and can pay off with just one successful attack,” adds Alisa Kulishenko. Since the beginning of 2024, Kaspersky experts have observed more than 20 offers for botnets for hire or sale on dark web forums and Telegram channels.
Other options: leaked bots and custom development
Besides purchasing a ready-made solution, there are cheaper ways for nefarious actors to access botnets. Just as legitimate data can be leaked, the source code of a botnet can also be publicly released by malicious actors. Access to this leaked source code can be obtained for free or a fee of $10 to $50, based on information from approximately 400 dark web and shadow Telegram posts observed since the beginning of 2024. However, leaked botnets are generally considered an option for less sophisticated actors, as they are more likely to be detected by security solutions.
A threat actor can commission a botnet to be developed from scratch. Development costs start at $3,000 and are not confined to any specific price range. “Most of these deals occur privately, through personal messages, and partners are typically chosen based on reputation, such as forum ratings,” elaborates Alisa Kulishenko.
To avoid threats related to cybercriminal activities in the shadow internet, in organisations it is worth implementing the following security measures:
- Use Kaspersky Digital Footprint Intelligence to help security analysts explore an adversary’s view of their company resources and promptly discover the potential attack vectors available to them. This also helps raise awareness about existing cybercriminals threats to adjust your defenses accordingly or take counter and elimination measures in a timely manner.
- Choose a reliable endpoint security solution such as Kaspersky Next that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats.