Cybercriminal takeover
The server takeover is the earliest stage, where exposed assets are enumerated (i.e., via network scanners), accessed, and categorized by features (e.g., availability, bandwidth, and type of GPU) for further malicious purposes.

Categorization and estimation of monetization paths
Compromised servers are categorized based on simple criteria that can be automatically collected by software tools used by underground actors (e.g., computing power, bandwidth, location, victim). A compromised asset can be taken over, monetized, and resold several times.

Sensitive data exfiltration
This category includes theft from the compromised server of credentials, PII, financial information, and scanned or sensitive documents using a variety of automated keyword search tools.

Resale for targeted attacks
Advanced categorization may find servers that are of interest to industrial espionage actors looking to dissociate themselves from the initial compromise. Particularly sensitive assets can be sold in underground auctions for hundreds of thousands of USD.

Resale for criminal monetization
Some platforms offered in the underground automate the processing and monetizing of compromised servers, whereby sellers can collaborate to deliver more than a hundred compromised servers per day in some scenarios, sometimes called the “access as a service” model.

Criminal monetization
A compromised server commonly gets monetized through cryptocurrency mining and malicious hosting. Ransomware attacks, especially targeted ones, may also be employed by actors who have in-depth knowledge about the infrastructure. Cryptocurrency mining should be of particular interest to defenders, as it often indicates a compromised asset that is in an idle state prior to being resold or having ransomware deployed.

Incident response
The typical instances wherein a compromise or malicious activity is detected, and an incident response (IR) team deals with the threat.