Cyberextortion is a crime involving an attack or threat of an attack coupled with a demand for money or some other response in return for stopping or remediating the attack.
Ransomware attacks, in which blackmailers encrypt victim systems and offer to decrypt the systems after the victim sends funds, usually in the form of cryptocurrencies like bitcoin, are currently among the most common form of cyberextortion. However, other types of cyber blackmail can include distributed denial-of-service (DDoS) attacks that the blackmailers offer to suspend on receipt of payment or the threat of exposing confidential corporate data that has been stolen from an organization.
Cyberextortion attacks start with a hacker gaining access to an organization's systems and seeking points of weakness or targets of value. While ransomware attacks can be automated through malware spread by email, infected websites or ad networks, these attacks tend to spread indiscriminately, and they may result in only a small percentage of victims paying the extortionists. More targeted attacks can produce less collateral damage while providing more lucrative targets for the extortion attempt.
Types of cyberextortion
Today, businesses are being hit by different types of cyberextortion, including:
- Cyber blackmail occurs when cybercriminals breach corporate networks to discover and exfiltrate valuable data. For example, in 2017, hackers shared unreleased episodes of the Netflix series Orange Is the New Black when the streaming company did not pay the blackmailers. That same year, another cyberextortionist threatened to release unaired episodes of Game of Thrones if HBO did not pay $5.5 million in bitcoin.
- Attackers may conduct denial-of-service (DoS) and DDoS attacks against a targeted company and solicit payment to stop the attack. In some cases, the attacker may threaten a DDoS attack and demand a payment to not carry it out.
- In ransomware scams, victim devices are infected with malware that prevents authorized users from accessing the device or the data stored on it. To regain access to the device or data, the victim has to pay the hacker a ransom. A user can inadvertently download the malware by opening an infected email attachment, visiting a compromised website or clicking on a pop-up ad.
- Database ransom attacks are carried out by hackers who identify and hijack databases that use versions of MySQL, Hadoop, MongoDB, Elasticsearch and other systems that have not been fully patched or that have not reset default administrative passwords. Attackers have been observed replacing the contents of a breached server with a ransom note requesting a specific amount of bitcoin to reinstate the data.
As long as there are undesired outcomes related to computers and data, there will likely be cyberextortionists who devise new scams to exploit the individuals or organizations who want to prevent those negative outcomes.
Effects of cyberextortion
The cyber economy research firm Cybersecurity Ventures predicted that the annual global cost of damage from ransomware would be greater than $11.5 billion by 2019, up from $325 million in 2015. In its "2017 Annual Cybersecurity Report," Cisco reported that ransomware is growing at an annual rate of 350%. While Cybersecurity Ventures estimated that ransomware damages would exceed $5 billion in 2017, that is still just a fraction of the nearly $600 billion cost of cybercrime in 2017 estimated by McAfee.
Companies victimized by cyberextortion schemes not only suffer from breaches or loss of sensitive corporate data, they may also sustain serious damage to their reputations, lose customers and, consequently, lose money.
If customers can't access their preferred websites, they'll likely move on to other companies that offer the same or similar products or services. In addition, hackers will use the threat of selling a victim's corporate secrets to rival companies -- often a great motivation for a victim company to pay a blackmail ransom.
Cyberextortion goes beyond ransomware
Listen to how cyberextortion uses bug poaching attacks in this podcast.
When data is breached from a company, attackers may threaten to reveal sensitive data publicly. Customers whose data has been made public in that way may be able to recover damages from the company. Under Graham-Leach-Bliley regulations and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), financial and healthcare companies can be held liable for such disclosures, and they often incur hefty government fines.
Cyberextortionists may also threaten to reveal a victim's private information, such as personal photos or videos, demanding payment to stop them from sharing that information to all the addresses in the victim's email account or on social media.
Cyberextortionists are constantly searching for new vulnerabilities to exploit and new ways to threaten victims who are willing and able to pay. Consequently, companies must stay ever-vigilant in their efforts to combat cyberextortion.
Organizations wishing to reduce the chances of being victims of electronic extortion should implement the same kind of strong cyberdefenses they would use to resist any type of cybersecurity incident.
Here are some specific steps to take to reduce the number and effect of cyberextortion attempts:
- Implement and test contingency and disaster recovery plans to ensure the company can recover from a cyberattack.
- Develop strategies for backing up and encrypting sensitive data, and make sure that recovery procedures are tested regularly to avoid downtime due to ransomware or other attacks.
- Employees are an important part of the defense team, which means training them to better identify phishing attempts, to avoid posting sensitive data on social media sites and to take other steps to reduce the attack surface for potential cyberextortion attempts is important.
Basic cybersecurity hygiene is important, including using antimalware tools to identify and prevent malware intrusions, using up-to-date antivirus software for endpoint security, keeping all system software up to date with the latest patches to fix known flaws that hackers and malware can exploit, and hardening internal network defenses and limiting access to the internal network to deny or slow the propagation of malware and the lateral movement of hackers.
Other standard cybersecurity measures that can help mitigate cyberextortion attacks include implementing risk analysis and risk management programs to identify and address cyber-risks throughout the business, reviewing audit logs regularly for suspicious activity, and remaining vigilant for new and emerging cyberthreats and vulnerabilities by participating in information sharing organizations and receiving alerts from the U.S. Computer Emergency Readiness Team.
In addition to the 2017 cyberextortion attacks against Netflix and HBO, there have been other notable instances of cyberextortion.
In 2015, Ashley Madison was attacked by hacktivists calling themselves the Impact Team who announced that they had compromised the database of the cheating website, owned by Avid Life Media, that held the personally identifiable information of 37 million users.
Rather than asking for money, the group threatened to release the information if Avid Life Media (ALM) didn't permanently close down two of its dating websites as punishment for defrauding its customers. The hackers claimed that ALM didn't remove the personal information of some customers even though they had paid extra to have that information expunged.
Since ALM didn't give in to the Impact Team's demands, the group leaked Ashley Madison customer data.
In 2014, Domino's Pizza was targeted by the hacker group Rex Mundi, which publicly claimed it had stolen the customer records of 650,000 Domino's Pizza customers in Europe. Rex Mundi said it had stolen the records from Domino's website and would release the records if Domino's didn't pay it a ransom of €30,000.
Domino's declined to pay the ransom and instead notified its customers of the breach, noting that the stolen data didn't contain their financial information, but only contact details, delivery instructions and passwords. Domino's suggested its customers change their passwords and Rex Mundi never followed through on its threat.
In 2014, hackers hit the RSS feed service provider Feedly with a distributed denial-of-service attack to prevent users from accessing the service. The attackers demanded money, which the company refused to pay.
The company worked with authorities, as well as with other firms hit by attacks from the same group to bring the hackers to justice. Feedly worked with its content network provider and restored service in a couple of hours.