With the application of botnets as tools, botmasters aim tocommit different types ofcybercrimes. Halder and Jaishankar (2012) describe cybercrimes as the “offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as the Internet (networks including chat rooms, e-mails, notice boards and groups) and mobile phones (Bluetooth/SMS/MMS)”.

Based on the definition, one can distinguish criminals’ objectives according to the attacker’s effectuate will.As information is becomingmore and more advantageous for individuals, businesses, and states, an attacker frequently aims to steal, leak, or destruct information processed by the targeted systems, or aims to disrupt operation due to anger, avenge, or for political reasons.

In effect, the motivation integrates the source of motives such as biological, social, and psychological needs, wants, or desires and the probable effects of any given action (Ryan and Deci, 2000). However, organisations or researchers may apply different categorisations. For example, Verizon (2020) distinguishes financial, espionage, and FIG (Fun, Ideology, and Grudges), despite the fact that one conducts espionage by political or even economic motivation.Therefore, applying espionage as motivation is not accurate, not to mention that espionage is a tool or action to get confidential data of the targeted entity. On the other hand, Gandhi et al. (2011), applied a methodology comprising political, socio-cultural, and economicmotivation as high-level factors; yet, the socio-cultural factor’s elements they applied can belong to the FIG or political motivation.Accordingly, we apply the high-level categorisation for thebotmasters’ motivation as (1) financial, (2) political, or (3) fun, ideology, and grudges (FIG).

It is beyond question that cybercrimes have evolvedoverthe last decade. Furthermore, today, there are highly sophisticated cybercrimes available as businesses. Cybercrime as a Service is a business model forcybercriminals offering services, infrastructure, and knowledge to be rented (Manky, 2013), which incorporates (1) the Crimeware as a Service, (2) the Cybercrime Infrastructure as a Service, and (3) the Hacking as a Service.

In Crimeware as a Service, cybercriminals offer general or specifically targeted identified vulnerabilities and related exploits. For example, to this category, zero-day vulnerabilities, malware such as rootkits, ransomware belong, as well as droppers, keyloggers, and hiding tools (Szőr, 2005). However, they are the main building blocks for creating a botnet.Criminals offer infrastructural elements, specifically clients and servers under the aegis of the Cybercrime Infrastructure as a Service, making others ableto rent a botnet or typically a part of a botnet with a limited set of capabilities. Clients, as part of a botnet, are ready to process the renter’s commands.Already in 2006, the Zeus botnet was the first that couldbe rented quickly in Darknet. It arose with spyware capabilities, and overthe years, with version updates, some new features have been added to the original capabilities (Bederna and Szadeczky, 2019, p. 10). Hence, when planning a botnet, the botmaster can compare the income from renting with life-cycle costs such as acquiring malware, spreading, and maintenance (Putman, Abhishta, and Nieuwenhuis, 2018, pp. 443–444).

Using Hacking as a Service solution, an attacker can outsource the complete attacking process to the “service provider” including planning and performing on-demand.

Today’s complex and comprehensive relations induce interactions between entities in any situation represented in a strategic form that describes players’ action (Do et al., 2017). In a security game, a player follows his or her strategy, which is the plan of actionswiththe payoff (Liang and Xiao, 2013). According to the noncooperative versus cooperative game-theoretic approaches, a critical aspect of a game is the players’ cooperation behaviour. A noncooperative player chooses a strategy to optimise his or her interests. Contrarily, a cooperative player has a joint strategy for mutually achieving benefits with other players (Do et al., 2017). However, the cooperation willingness can materialise in several layers in the technology and people factors of the BMIS model.

Creating and operating a botnet can be an easy and lonelytask if one is using pre-defined elements offered via Crimeware as a Service (Putman, Abhishta, and Nieuwenhuis, 2018, p. 445). However, developing a comprehensive botfrom the beginning requires several actors to be involved, such as vulnerability analysts, exploit developers, bot collectors, bot maintainers, operators, remote personnel, developers, testers, sysadmins, and managers (Miller, 2010). So, individuals as players of the security games can commit a crime separately or in a groupthat hasthe same motivation. Furthermore, different threat actors may also cooperate. For example, in June 2016, “the US Democratic National Committee (DNC) announced that it had suffered a network compromise. Evidence proved two separate breaches, one carried outby APT28 and the other by another Russian group, APT29 (aka Cozy Bear)” (Bederna and Szadeczky, 2019). There is no information on whether the two groups cooperated or not, but in effect, at least, they did not work against each other.

However, in the technology factor, C&C servers may communicate and cooperate with bots belonging to another botnet. Collaboration (Chang et al., 2015, pp. 648–649) may exist inter-family and intra-family botnet.On the other hand, noncooperative attacking players may take over the command centre’s control (Cimpanu, 2019) or hijack or remove other botnets’ agents (IBM Corporation, 2016, p. 11).

Capabilities incorporate the tools, tactics, and procedures (TTP) in the attacker’s portfolio, which has changed tremendously over time, generally and in connection with botnets.In 1999, the Pretty Park contained only a limited number of competencies. It connected to a remote IRC server and reported basic system information as an operating system’s version, login names, and e-mail addresses (Banday, Qadri, and Shah, 2009, p. 2). Eight years later, when the Zeus botnet started its career, its main capabilities were (1) reporting system information, (2) stealing protected storage information, (3) stealing online credential information, and (4) contacting the C&C server for additional tasks to perform, as the agents’ code had built-in commands waiting to be executed (Alzubaidy and Hatim, 2015, p. 123).

Today, as per ENISA (2019, pp. 130–131), botnets pose at being multi-staged and modular threats that have several features such as (1) self-propagation, (2) self-destruction, (3) anonymous communication, (3) persistent behaviour, (4) origin obfuscation, and (5) downloading payloads and installing themeven in the memory.Furthermore, one can distinguish botnet features according to their functionalities such as the (1) command module, (2) control module, (3) infection module, and (4) stealth module. The command module sends commands to the agents, and the control module controls the ownerships and relationships between the C&C and the bot. The infection module’s task is to find vulnerable network nodes, such as servers, client machines, network devices, and the Internet of Things (IoT), and infect them. The stealth module has an essential role in hiding from antimalware services or even disabling their functionalities.

The commands that the command module carries determine the given botnet’s capabilities that performattacking activities. The effectuated attack depends on the botmaster’s motives. Such an attack is mainly one of the following : DDoS, phishing, spam and spim (spammed instant messages) sending, spyware, adware, ransomware cryptocurrency mining, fake news propagation, and more. The disruptionware simply overwrites or wipes the data stored on the infected device without any possibility of recovering it.

As a botnet can be thought of as a distributed system with non-interactive workloads, it handles its bots’ computational resource. Therefore, a botnet’s computational capacity is the aggregated amount of its bots’ capacity.The computational capacity (or performance) is the amount of valuable work accomplished by a computer system, which depends on response time, throughput, and the computer system’s execution time. The response time is the time interval from the starting point to completing a task, which includes waiting for input or output and other processes, accessing disk and memory, and the time spent on execution time. The throughput is the total amount of computing tasks done in a given interval.

An attacker can use the network resources of the infected machines for attacking other entities. However, enterprises usually follow basic principles such as the hierarchical network model and modularity (Cisco, 2014a) in the planning, implementing, and operating of their network. This design method involves dividing the network into discrete layers, in which each layer in the hierarchy provides specific functions within the overall network (Cisco, 2014b). Nevertheless, the Internet is also a hierarchical network based on the autonomous systems (ASs) concept, which is routing domainscomprising a collection of routers under the same administration. The Internetencompasses several smaller and bigger Internet Service Providers (ISPs), Internet Exchange Points (IXPs), and Content Delivery Networks (CDNs) (Dey et al., 2018).

This hierarchical approach of enterprise networks and the Internet is crucial as it gives limitations and opportunities for the attackers. The limitations originate from the fact that a bot has a restrained network bandwidth of the infected computer resources. Furthermore, the malicious traffic has to flow over aggregated connections, such as between the enterprise and the ISP, or between ISPs.However, on the other hand, the hierarchical structureallows the aggregating of the malicious traffic to achieve ahigher performance, e.g., for DDoS or spamming. Moreover, the attacked entity also has the limitationsa bot has; therefore, it is possible to get the desired effect with a lower performance from the attacker’s viewpoint if the targeted systems have fewer available resources such as bandwidth or computational capacity.

In every presence and in each status, data assets have theirconfidentiality, integrity, and availability parameters (Beckers, 2015). Confidentiality means only authorised users and processes can access or modify data; so, one has to protect processed data from unauthorised access and misuse.Integrity is the protection of data from unauthorised alteration; hence, a defender has tomaintain the data in a correct state,ensuring that nobody or no process canmodify it, either accidentally or maliciously improperly. According to the availability parameter, data has to be accessiblepromptlyand uninterruptedly to authorised users and processes. An attack can therefore specifically affect at least one of its parameters such as confidentiality, integrity, or availabilityof specific data or a set of data depending on the botmaster’s motivation and the botnet’ capabilities.

Spyware collects and shares personal and confidential information without the user’s consent (Aycock, 2011). The information may include the company’s proprietary data, computer, network data, personal data about the user, such as activities and behaviour from various applications as, e.g., browsers and instant messengers. Spyware can transfer all the information to the botmaster via its C&C server. The adware that is a particular category of spyware works as a tool for advertisingand collects the user information and behaviour for interested advertisers or other interested parties without their consent. It can display advertisements on the screen of a given user, most often within a web browser.

Phishing is the mechanism of crafting messages that use social engineering techniques to fraudulently attempt to obtain sensitive information from users (Khonji, Iraqi, and Jones, 2013). It tricks the recipients into clicking on a link that points to an unsafe URL, hand over their credentials via legitimate-looking websites, online payment, and similar. It is typically carried out via e-mail spoofing or instant messaging. Spear phishing is directedat specific individuals or companies, while whaling attacks specifically senior executives and other high-profile targets.

Cryptocurrency mining (or cryptojacking) refers to the method that uses the processing power of the victim’s device without his or her consent to mine cryptocurrencies. It may work with the installation of software on a user’sdevice that would run in the background or a browser aftervisiting a malicious website. The algorithm is about to generate units of a cryptocurrency that would go back into the attacker’s wallet (Eskandari et al., 2018). It wastes bandwidth and computational capacity. The user may noticea reductionin the speed and efficiency of legitimate computing workloads. The extra computation increases the power consumption causing direct costs. Furthermore, if the code runs on a mobile device, it also negatively affects its battery lifetime.

Fake news (or hoaxes; Tandoc, Lim, and Ling, 2018) is not a new phenomenon; however, digitalisation has facilitated itsdiffusion via social media, making online visitorsmore susceptible to popularity indicators. Social bots (Siddiqui, Healy, and Olmsted, 2018) can spread non-curated content using trending topics and hashtags. Their primary strategy is to reach a broader audience, which, in many cases, further helps the propagation of fake news by (1) tweeting fake news items or (2) replying or commenting on the postings of real social media users with false information.

Fake news delivery is also possible with spams and spims. Spam and spimare abusive uses of e-mail and instant messaging to flood unsolicited messages in bulk. Despite its low cost, spamming causes a massive waste of time and resources for recipients and service providers in network bandwidth and storage.

On the other hand, ransomware stops users from accessing the data they use, and it may freezetheir devices, too. For users to be able to release locked devices, an online payment ransom is demanded, typically in cryptocurrency (Youngblood, 2016). Criminals have committed ransomware attacks against a variety of organisations as victims paid the ransom in many cases. Nowadays, it has evolved from stand-alone attacks to campaigns. The victims of these attacks not only suffer financial losses, but also lose their credibility.

Disruptionware is a particular category of malware that is designed to suspend operations within the targeted organisation. It aims to suspend operations and disrupt continuity; therefore, it is devastating in mission-critical systems and legacy systems that lack redundancy (Brichant and Eftekhari, 2019). Worms, file infectors, wipers, and even subcategories of ransomware belong to this category. A worm replicates itself over the network from device to device without the guidance of its creator. A file infector infects executable files by overwriting them or inserting infected code that disables them. A wiper deletes all the data stored on the infected device. In the case of disruptionware, the attacked and utilised entities are the same.

On the other hand, a DDoS attack attempts to disrupt the targeted entity’s regular traffic or service behaviour by overwhelming the target or its surrounding infrastructure. In the case of a DDoS attack, the attacked and the utilised entities are distinct. A DoS attack occurs when an attacker makes the target machine local or network resource unavailable to its intended users temporarily or indefinitely. Such solutions as physical disruption, MAC, TCP, UDP, ICMP flood, and the routing protocol modification in the network infrastructures also belong to DoS.

According to the TCP/IP model (Ravali, 2013), there are (1) Internet layer attacks such as ICMP flood, smurf attack, and ping of death, (2) Transport layer attacks such as syn flood and UDP flood, and (3) Application layer attacks such as malformed SSL requests, and HTTP, telnet, FTP requests, andDNS attacks (Specht and Lee, 2004).

Threat actors have causedmany users of the Electrum Bitcoin wallet to be victims of phishing attacks, at least sinceDecember 2018, by tricking them into downloading a malicious version of the wallet by exploiting a weakness of the Electrum software. As a result, attackers were able to stealmany bitcoins from their owners. In February, the developers of Electrum decided to exploit the same flaw to force them to download the latest patched version to tackle this problem. In March, Electrum tried to exploit another vulnerability unknown to the public. Shortly after, criminals launched distributed DDoS attacks against Electrum servers. Theseattacks stopped legitimate Electrum servers dealing with legitimate requests meaningpreviously untouched clients turned to rogue servers which stole from other wallets (Malwarebytes Labs, 2019a).

Table 1 presents the threat parameters of ElectrumDoSMiner, which applied Crimeware as Service tools such as the Smoke loader and the RIG exploit kit, stipulating its TTP, to conduct a DDoS attack. An interesting point is that by analysing the infected machines’ geolocation, the largest concentration was in the Asia Pacific region (Figure 2).

Emotetwas initially a banking trojan. Its first detection in the wild was in 2014. However, it disappeared in 2016 and 2017. As seenlater, its operators had updated the trojan and reconfigured it to work primarily as a loader for other malware, e.g., spam as Trickbot and ransomware as Ryuk (Fortinet, 2019). Furthermore, in September 2019, it ran three separate botnets called Epoch 1, Epoch 2, and Epoch 3 to reducethe probability and the effect of a takeover or a takedown (Spamhouse, 2019).

Table 2 discusses the threat parameters of Emotet, which is a botnet offering a loader functionality for others as, e.g., Trickbot and Ryuk; it is in effect a Cybercrime Infrastructure as a Service tool. Therefore, some capabilities depend on the carried botnets. An examination of the presence of infections (Figure 3) reveals the most affected countries are Germany, the United States, India, the Russian Federation, and China.

Gameover Zeus (GOZ) is a variant of the Zeus family, andwas identified in September 2011 using a decentralised peer-to-peer infrastructure of the compromised end-points. GOS utilised its P2P network for communicating commands, binary updates, or configuration and sent back stolen data in which it employed encryption to evade detection. Furthermore, GOZ was responsible for spreading Cryptolocker ransomware, spamming, data theft, and DDoS (Sandee, 2015). However, due tosuccessfulcooperation, law enforcement agencies were able to takedown GOZ in May 2014 (Europol, 2014).

Table 3 presents the threat parameters of GOZ, from which there are two interesting points: (1) there were a sophisticated cooperation of several threat actors working as a group, to create the botnet, which is explicitly known by security researchers, and (2) GOZ builders are not sold to individuals, showing less cooperation willingness. According to the geolocation attributes (Figure 4), the infected machines were mostly in the United States, India, and the United Kingdom.

Threat actors made Mirai, the infamous botnet, which was comprised of hundreds of thousands of thingbotsweaponising the Internet of things (IoT). Mirai started its DDoS attacks in August 2016. In early October, its developer released the Mirai source code as open-source. It infected more than 300,000 IoT devices, and soon after, it had more thana half-million thingbots. Mirai was in charge of attacks against Dyn DNS infrastructure, the French OVH datacentre and cloud provider, and the Deutsche Telekom infrastructure (Antonakakis et al., 2017).

Due to its open-source nature, it has had several variants, such as Satori, Okiru, and Owari (Liu and Wang, 2018). Even Android smartphones were targets for bot-creation (Ullrich, 2018). However, one version of Satori, a variant of Mirai, changed the profile to crypto mining. After infecting, it switched the wallet to the attacker’s wallet, resulting inall coins being generated for the attacker (Ashford, 2018).

According to the threat parameters of Mirai, depicted in Table 4, there was massive cooperation willingness among threat actors and business efforts from the botnet’s operator(s), who had managed IoT devices-based bots worldwide (Figure 5).

VPNFilter initially attacked devices located in Ukraine, but it spread to other countries very quickly. In May 2018, one of the most extensive campaigns was reported as having comprosed around 500,000 bots. However, after the VPNfilter attack, Ukraine started developingcyber-defence capabilities (Vakulyk et al., 2020).

The botnetapplied a multi-stage and modular infection. The first stage had the capability of boot persistence on devices; the second stage acted as a RAT, and the thirdstage included plugins to enhance functionalities. By the application of its RAT functions, it collected data, inspected local traffic, hijacked network data, communicated on the Tor network, and even wiped local firmware to destroy a specific device or all infected devices (Cisco Talos, 2018). Cisco Talos researchers found an interrelation between VPNFilter and BlackEnergydisruptionware that targeted the Ukrainian powergrid in the winter of 2015–2016 (Anomali, 2019). Both were the product of the APT28 group. There is no information about the business model and cooperation willingness, see Table 5; however, according to the conditional sponsorship of the Russian government, there must have been certain cooperation. Although the VPNfilter started mainly in Ukraine, its presence has changed worldwide (Figure 6).