How rich are they?
There is a class of computer vulnerabilities called zero-days. They are called that because they are not publicly known and either can be or are being exploited since there are no patches for them.
Many zero-days are discovered by nation-based spies like the CIA or NSA here in the U.S. (but all nations at least try to mimic this). But many of them are discovered by hackers or researchers. In the case of bugs found by spies, they may keep the bug to themselves, but in any case, they rarely to never sell them. That is just not their gig.
But bugs found by private hackers and researchers, well, they either sell them to the company that makes the software (or an intermediary). Or, they sell them to the highest bidder.
Historically, those bidders are other nations. You can either find bugs or you can buy them. Maybe you get exclusive rights to the bug (that costs a lot more) or you just get access to it and the researcher/hacker that found it can resell it again.
Apparently, some of the ransomware groups are getting so wealthy from stealing from you that they can compete with nation states to buy those zero-days.
That also requires that these hacking groups are sophisticated enough to leverage those zero-days and, apparently, they are doing that as well.
Of course, it is legal (at least in their own country) for nations to buy zero-days.
Hackers, on the other hand don’t really care whether it is legal. After all, their entire operation is not legal.
Is it legal to sell a zero-day? That also depends. Where are you? Do you know it is going to be used to break the law?
So lets assume that a hacking group buys a zero-day for, say $3 million. What then?
One thing they can do is set up a hacking service.
Rather than trying to recover that cost all by themselves, they advertise a particular attack method on the dark web and sell access to it. Possibly they sell it for cash; possibly they get a cut of the money their customers extort from panicked users.
Alternatively, the hacker who discovered the vulnerability sets up the hacking service. If they do this they don’t have even the façade of legitimacy, but depending on what country they are in – that may not matter.
Isn’t this a pleasant thought – now?! Credit: ZDNet