What is cyberextortion?
Cyberextortion is a crime involving an attack or threat of an attack coupled with a demand for money or some other response in return for stopping or remediating the attack.
Cyberextortion attacks are about gaining access to an organization's systems and identifying points of weakness or targets of value. Cybercriminals demand payment through malicious activity, such as ransomware, which is the most common form of cyberextortion. They also use distributed denial-of-service (DDoS) attacks and steal confidential corporate data and threaten to expose it.
In a ransomware attack, a blackmailer encrypts the victim's files and offers to decrypt them only after payment is made, usually in the form of cryptocurrencies like bitcoin. In a DDoS attack, the cybercriminal typically threatens to carry out an attack if payment isn't made. The threat is suspended once the victim pays the attacker, or the DDoS is conducted if the ransom isn't paid.
Ransomware attacks can be automated through malware distributed in emails, infected websites or ad networks. These attacks tend to spread indiscriminately, creating networks of infected computers. However, they may result in only a small percentage of victims paying the cyberextortionists. More targeted attacks can produce less collateral damage but provide more lucrative targets for the extortion attempt.
Types of cyberextortion
Today, businesses are being hit by different types of cyberextortion and cyberthreats, such as the following:
- Cyber blackmail occurs when cybercriminals breach a private network, steal valuable data and hold the information hostage. In 2017, hackers shared unreleased episodes of the Netflix series Orange Is the New Black when the streaming company did not pay the blackmailer. That same year, a cyberextortionist threatened to release unaired episodes of Game of Thrones if HBO did not pay $5.5 million in bitcoin.
- Database ransom attacks involve hackers who identify and hijack databases that use vulnerable versions of MySQL, Hadoop, MongoDB, ElasticSearch and other computer systems. Attackers can exploit vulnerabilities If patching isn't up to date or default administrative passwords have not been reset. They will sometimes replace the contents of a breached server with a ransom note requesting a payment in bitcoin to reinstate the data.
- Denial-of-service (DoS) or DDoS attacks are a common cyberextortion method, affecting access to servers and data. Attacks are launched, and payment is demanded to stop it. Or an attack is threatened, and payment is demanded to keep it from happening.
- Ransomware victims find their devices infected with malware that prevents authorized users from accessing those devices or the data stored on them. To regain access, the victim must pay the hacker a ransom. A user inadvertently downloads the malware by opening infected email attachments, visiting a compromised website or clicking on a pop-up ad.
The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury dedicated to safeguarding financial systems, issued an advisory in October 2020 with the following list of five types of more sophisticated cyberextortion techniques:
- Big game hunting. Targeting big enterprises that are more likely to pay bigger amounts.
- Partnerships. The sharing of resources, such as ransomware exploit kits, among cybercriminals.
- Double extortion. Schemes where the threat actor copies sensitive data from the victim's network before encrypting the files and demanding ransom. The attacker uses the threat of publishing or selling the stolen data if payment isn't made.
- Anonymity-enhanced cryptocurrencies (AECs). A complementary tool of convertible virtual currency, AECs such as Monero and Zcash reduce the transparency of the financial flows involved in an attack.
- Fileless ransomware. Instead of putting the malicious code into a file on a hard disk drive, the ransomware writes it into the computer's memory.
Cyberextortion goes beyond ransomware
Listen to how cyberextortion is used in bug poaching attacks in this podcast.
Effects of cyberextortion
Cyberextortion attacks are often aimed at smaller businesses and tend to be underreported. Some of the statistics include the following:
- The National Cyber Investigative Joint Task Force said, from 2013 to 2019, at least $144.35 million in bitcoin was paid in response to ransomware attacks.
- The average cost of a ransomware attack was $4.44 million, according to the "Cost of a Data Breach Report 2020" that the Ponemon Institute wrote and IBM published.
- The number of ransomware attacks increased by 150% and caused an average of 18 days of downtime for affected companies, according to cybersecurity vendor Group-IB's "Ransomware Uncovered 2020-2021" report.
- Ten percent of the 5,258 breaches Verizon analyzed involved ransomware, more than double the frequency in the previous year, the vendor said in its "2021 Data Breach Investigations Report."
- The average ransom payment increased 43% to $220,298 from $154,108 in the fourth quarter of 2020, incident response vendor Coveware said in a recent report. The median payment in the first quarter was $78,398, up more than 50%.
Companies victimized by cyberextortion schemes suffer the effects of a data breach and loss of sensitive information. These can include damage to their reputation, loss of customers and, consequently, lost money.
If customers can't access their preferred websites, they'll likely move on to other companies that offer the same or similar products or services. In addition, hackers will use the threat of making a victim's trade secrets or intellectual property public or selling it to rival companies. That tactic is great motivation for a victim company to pay ransom.
Customers whose data is made public as the result of a cyberextortion exploit or other type of data breach may be able to recover damages from the company. Under the Graham-Leach-Bliley Act and Health Insurance Portability and Accountability Act, financial and healthcare companies can be held liable for such disclosures, incurring hefty government fines.
Cyberextortionists may also have access to a victim's private information, such as personal photos or videos. Here, too, threat actors will demand payment to stop them from sharing that information to contacts in the victim's email or on social media accounts.
Cyberextortionists are constantly searching for new vulnerabilities to exploit and new ways to threaten victims. Consequently, companies must be vigilant in their efforts to combat these exploits.
To reduce the risk of becoming a victim of cybercrime, organizations must implement strong cyberdefenses. Some best practices to reduce the risk of cyberextortion include the following:
- Back up and encrypt data. Develop strategies to back up and encrypt sensitive data and test recovery procedures regularly.
- Authenticate. Use multifactor authentication.
- Update systems. Make sure all computer systems are updated and patched, including security systems.
- Educate and train. Provide employees with awareness training so they can identify phishing attempts aimed at getting them to click on malicious links, avoid posting sensitive data on social media sites and take other steps to reduce the potential cyberextortion attack surface.
- Have an incident response Also, implement and test contingency and disaster recovery plans to ensure recovery from a cyber attack.
To protect a business, basic cyber hygiene is important, including deploying antimalware tools to identify and prevent malware intrusions, using up-to-date antivirus software for endpoint security, keeping all system software current with the latest patches, hardening internal network defenses and limiting network access to disrupt threat actor activity.
Additional cybersecurity measures to mitigate cyberextortion attacks include implementing risk analysis and risk management programs that identify and address cyber risks, reviewing audit logs regularly for suspicious activity, and remaining vigilant for new and emerging cyber threats and vulnerabilities by participating in information sharing organizations and receiving alerts from the U.S. Computer Emergency Readiness Team.
FinCEN has identified multiple red flag indicators of ransomware related to illicit activity in the financial industry. The organization alerts financial institutions to situations that may help them detect suspicious transactions and prevent incidents.
In addition to the 2017 cyberextortion attacks against Netflix and HBO, there are other notable cases, including the following.
Domino's Pizza was targeted by Rex Mundi, a hacker group that claimed it had stolen the customer records of 650,000 Domino's Pizza customers in Europe. Rex Mundi said it would release the records if Domino's didn't pay a 30,000 euro ransom. Domino's refused to pay. It notified its customers of the breach and suggested they change their passwords. Rex Mundi never followed through on its threat.
RSS feed service provider Feedly was hit with a DDoS attack to prevent users from accessing the service. The attackers demanded money, which the company refused to pay. The company worked with authorities to bring the hackers to justice. Feedly's content network provider restored service in a couple of hours.
A hacktivist group, calling itself The Impact Team, attacked Ashley Madison, a hookup site for people who are married or in relationships. The attackers said they compromised the company's database, which held the personally identifiable information on 37 million users. Rather than asking for money, the group threatened to release the information if the company's owners, Avid Life Media (ALM), didn't take down two of its dating websites as punishment for defrauding its customers. The hackers claimed ALM didn't remove the personal information of some customers even though they had paid extra to have that information expunged. When ALM didn't give in to The Impact Team's demands, the group leaked Ashley Madison customer data.
The WannaCry attack encrypted more than 250,000 systems, using asymmetric encryption. The U.K.'s National Health Service was among the targets and had to take its systems offline. The threat actors demanded payment in bitcoin. It's unclear how many victims paid the ransom.
Threat actors attacked numerous state and local governments using Ryuk ransomware. According to the Center for Internet Security, ransoms ranged from $100,000 to $500,000 worth of bitcoin.
In December 2020 and again in January 2021, hackers accessed dozens of organizations' data by exploiting zero-day vulnerabilities of Palo Alto-based Accellion's file transfer application. Victims included supermarket chain Kroger, blue chip law firm Jones Day, Reserve Bank of New Zealand and Shell Oil. The methods used included Structured Query Language injection and server-side request forgery. The attackers sent emails to victims threatening to make their data publicly available.
Cybersecurity firm FireEye revealed in December 2020 that hackers had made off with its Red Team tools, which could be used to launch sophisticated cyber attacks. U.S. officials believed that Russian intelligence agencies were behind the attack.
The SolarWinds attack was also disclosed in December 2020, revealing that the company's monitoring software had been compromised in the latter half of 2019 and was used to infiltrate and extort government agencies and private sector companies.
The ransomware attack on Colonial Pipeline caused an eight-day shutdown of the 5,500-mile pipeline, which resulted in gas lines and shortages in New York and the Southeast. The Federal Bureau of Investigation (FBI) has identified the attacker as DarkSide, a ransomware-as-a-service group known to use double extortion tactics. Colonial Pipeline is reported to have paid nearly $5 million in bitcoin.
Should cyberextortion victims pay demands?
The obvious benefit to paying a ransom is regaining access to crucial files and systems. While the ransom is costly, the cost to rebuild files or systems can be exponentially more and can take a good bit of time.
The FBI discourages ransom payments to criminals. The intelligence agency contends that doing so will embolden attackers to target other organizations, encourage other criminals and fund criminal activities. Besides, paying the ransom does not guarantee the recovery of a victim's files. Instead, the FBI urges victims to report ransomware threats to local FBI offices or to the FBl's Internet Crime Complaint Center.
In October 2020, the U.S. Treasury's Office of Foreign Assets Control warned that organizations helping victims make ransomware payments may be in violation of the agency's regulations. It identified companies such as financial institutions, cybersecurity insurance firms, and those involved in computer forensics and incident response as possible offenders depending on the tactics they use.
Is cyber liability insurance worth having?
The Cybersecurity and Infrastructure Security Agency has said an active cybersecurity insurance market could help reduce the number of successful cyberextortion incidents. Insurers would encourage customers to implement preventative measures and best practices by basing coverage and premiums on the insured's level of self-protection.
Increasingly, customers are requiring vendors to have cyber insurance coverage as part of their compliance contracts. Insurer Woodruff Sawyer said the number of its public company clients buying cyber coverage increased from 22% in 2016 to 39% in 2019, and it expects this number to grow.
However, the cyber insurance industry is relatively young, and questions remain -- particularly about the willingness of insurers to pay claims and assign blame.
Learn more about the cybersecurity challenges enterprises face in addition to cyberextortion.