Crime exists since the beginning of human society, and cybercrime exists since the beginning of the digital society. However, as noted by the European Commission in the introduction to the Cybersecurity Strategy of the European Union : "Recent years have seen that while the digital world brings enormous benefits, it is also vulnerable. […] The EU economy is already affected by cybercrime activities against the private sector and individuals. Cybercriminals are using ever more sophisticated methods for intruding into information systems, stealing critical data or holding companies to ransom."
In effects, nowadays the major threat agents are no longer improvised amateurs or wanna-be hackers as it was in the past, but structured, motivated, and competent organizations, which are well funded and provided with significant resources because they mostly belong to transnational organized criminal cartels. And what’s worst is that professional cybercriminals have started to sell tools and services to less-organized individuals or gangs, thus enabling them to carry on sophisticated criminal actions in the cyberspace as well.
Cybercrime: no more a business per se
Cybercrime is now a consolidated business, based on a well-run and efficient supply chain. It starts from the development of technical components for the attack (usually contracted to specialized experts), it goes through the monetization of illegal profits (often via virtual currencies), and ends with the laundering of dirty money (commonly outsourced to traditional crime organizations).
The most striking result of this progressive industrialization of cybercrime is perhaps the creation of an entire portfolio of "professional services" which are offered by sector organizations to those who, not being regular criminals, nevertheless seek some specialized collaboration which could help them quickly put in place some lucrative but illegal activity. This ‘customerization’ of cybercrime is known as "Crime-as-a-service", a term that includes a broad and well-structured offering portfolio ranging from the development of custom malware (including such things as "ransomware-in-a-kit") to the massive deployment of attack vectors through "satisfaction guaranteed" spam campaigns based on millions of real and reliable email addresses. And again, from the handling of huge Distributed-Denial-of-Service attacks down to the illegal mining of bitcoins using botnets made up of hundreds of thousands of unaware end-user computers or compromised computing infrastructures in the cloud.
Evidence of such hidden activities can be found in recent data coming from several threat monitoring sources, all of which report a steady growth either in the number of botnets or in the number of Command and Control servers (C&C), which are the management centers from which botmasters give commands and program the activities to be performed by compromised computers that compose the botnets. This is a clear indication that those kind of cybercrime-enabling infrastructures are built not only for direct use by criminal organizations but also to be rent, so to say, to "third parties".
New territories on the cybercrime landscape: IoT and Cloud
It is also interesting to note that the fastest growing botnets are now those related to cloud services and "Internet of Things" (IoT) devices. The latter in particular are the ideal victims of this threat as they are more vulnerable and therefore easier to compromise compared to traditional servers; despite being equipped with relatively scarce computing resources, IoT devices are so many that they constitute a powerful army in the hands of bad guys. Evidence of this is the fact that the recently recorded DDoS attacks - which originated from compromised small devices such as surveillance cameras or home ADSL routers - are more massive than those that were common until some time ago, both in terms of duration (even several days) and bandwidth.
This increase in offensive power is also due to the use of "attack amplification" techniques never seen before. These were especially developed because traditional techniques (for example those based on the NTP protocol) are proving increasingly less applicable, due to the progressive spread of protocols and systems not affected by the vulnerabilities that allowed malicious users to obtain the amplification effect.
Other recent data emerging from specialized reports is the increase in the number of compromissions related to services in the cloud: both Amazon Web Services and Google Cloud Platform have been victims, usually through the use of fraudulent accounts. The computing power illegally gathered by the criminals in the cloud is sometimes used to run botnets or launch DDoS attacks, but more often to perform specific tasks that require large processing capability, such as cracking complex passwords and/or massive password lists obtained from leaks, or mining Bitcoins. As of now, it is no longer profitable to mine Bitcoin in one’s own house, since the energy cost required to do so is likely to be higher than the expected gain. It is therefore very common to find massive hidden mining plants which operate entirely on the shoulders of computing systems, which were ‘kindly’ made available to illegal organizations by unaware users, who then unwittingly bear the related costs.
Attack toolkits and new victims
It is worth to note that in the recent past, sophisticated "attack toolkits" appeared on the market, specifically developed to target new, and more profitable, classes of victims. Last year, several operators in the power generation and oil&gas sectors were hit by a specialized malware designed to attack the most common industrial control systems. More recently, a few healthcare organizations were threatened by a new malware specifically designed to address medical diagnostic systems.
The healthcare sector has become one of the favorite targets of cyber criminals: attacks on companies and medical facilities are constantly increasing, and the sector is completely unprepared to face them. The reason for this escalation of the threat is twofold: compared to other sectors, healthcare has much more to lose and is inherently much more vulnerable, which make it the perfect victim.
This in turn depends essentially on two factors. On the one hand, the ICT infrastructure of healthcare organizations is often not state-of-the-art, and sometimes even obsolete; this is especially true with regards to electro-medical and diagnostic systems such as RIS-PACS, which are often still based on operating systems no longer supported (such as Windows XP). On the other hand, there is a growing tendency, for obvious needs, to interconnect systems that, in the past, were essentially stand-alone: this exposes to external threats many critical systems that should not be easily reached by intruders or malware, and which are not inherently secure or even well protected against intrusion and attacks.
The result is that more and more criminal organizations are targeting the healthcare sector, either for extortion (usually based on ransomware or DDoS attacks) or for stealing patients’ clinical data. And more and more often those attacks are conducted by a cooperation of several organizations, some of which are just selling specialized state-of-the-art cybercrime services or products to the others.
The (cheap) prices of cybercrime services
It is also amazing to discover that the growing competition among resellers of cybercrime goods has recently led to a substantial price decrease for services and products in this special kind of black market, which is usually hosted in the so-called Dark Web.
For one, the cost of a massive Denial-of-Service attack has dropped from the $80-$100 per hour (common until 2016), to an incredibly lower $15-$20 per hour (in 2017). Moreover, it is now possible to buy a powerful ransomware-for-dummies toolkit for just $175 and even a decent credential-stealing malware for a mere $13.
Even the information regarding personal identities are bought and sold on the black market, and there are detailed price lists where the costs depend on the type of credential offered and the potential profit that the buyer could expect. A recent survey showed that the cheapest information is credit card numbers, whose cost ranges from $5-$8 each if accompanied by just the CVV/CVV2 code from the back, to $15 if the number is supplied together with the bank’s ID number, up to $30 if the stolen credentials include the so-called "fullz", that is complete information regarding the cardholder. The credentials for accessing online payment services are worth more, depending on the spending limits and the balance associated with them: they range from $20-$50 each for accounts with balances up to $1,000, and gradually increase up to $200-$300 for balances between $5,000 and $8,000.
In fact, the ease with which illegal information, products and services can be bought and sold on the Dark Web marketplace is what primarily caused such a rapid success (and therefore growth) of the Cybercrime-as-a-Service model. As noted by Europol/EC3 in their latest Internet Organized Crime Threat Assessment report (IOCTA 2017): "Darknet markets remain a key crosscutting enabler for other crime areas, providing access to, amongst other things, compromised financial data to commit various types of payment fraud, firearms, counterfeit documents to facilitate fraud, trafficking in human beings, and illegal immigration. Compared to more established Darknet market commodities, such as drugs, the availability of cybercrime tools and services on the Darknet appears to be growing more rapidly."
The case for an enhanced international cooperation
One of the major problems that law-enforcing agencies face when combating cybercrime is the transnational nature of the cyberspace, which obviously plays in favor of bad guys and against the good ones. This is especially true for the Cybercrime-as-a-Service ecosystem, which is inherently cross-border and takes its biggest advantage by the ease with which illegal tools are exchanged, services are deployed, and virtual currencies are transferred to and by different organizations in different countries. International cooperation is therefore the first and most important line of action to counteract this growing phenomenon, in terms of both prevention and reaction.
On the prevention side, the preparedness of potential victims should be greatly enhanced and cybersecurity defenses in critical sectors should be globally reinforced. The NIS directive that recently entered into force in the EU is a good starting point, but much more must be done especially at the cultural and organizational level (particularly for the SMEs).
On the reaction side, it should be made easier for police forces and prosecutors of different nations and jurisdictions to exchange information and conduct investigations together; the Budapest Convention on cybercrime was a fundamental milestone in 2001 but is now seventeen years old, and should probably be updated to reflect the new and unforeseen development that has characterized cyber threats since then. 
The Cybercrime-as-a-Service model is a powerful and dangerous enabler for the cybercrime business, which in turn is a truly global threat; the response should therefore be global and coordinated as well, if it has to be successful. This means that a new level of cooperation among all the stakeholders must be established, in order to enable better prevention and a faster and more effective reaction.
 Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (Brussels, 2013)
 Actually some discussion has started in 2017 among the Parties to the Budapest Convention in order to develop a supplemental Protocol aimed to address such issues as enhanced international cooperation and access to evidence in the cloud. See Seger's article in this same Dossier.