The term extortion was coined over 700 years ago—that, in of itself, speaks to the crime’s staying power. It also appears the internet and today’s digital lifestyle are conducive to extending extortion’s success.
Authors Rick Holland, Mark Tibbs, Simon Tame, and Michael Marriott, researchers at Digital Shadows, in the introduction of their paper Ransomware and Other Cyber Extortion: Preventing and mitigating increasingly targeted attacks (PDF) state that extortion has embraced the brave new digital world and, if the increased frequency of reported cases is any indication, it is a happy combination for the bad guys.
The researchers then look the different types cyber extortion. These are crimes that:
- threaten to unleash a Distributed Denial of Service (DDoS) attack;
- release potentially damaging data to the public; and
- use ransomware to hold a victim’s data hostage.
The FindLaw website defines extortion as: “The gaining of property or money by almost any kind of force, threat of violence, property damage, harm to reputation, or unfavorable government action. While usually viewed as a form of theft or larceny, extortion differs from robbery in that the threat in question does not pose an imminent physical danger to the victim.”
Extortion can take place over the telephone, regular mail, text, email, computer, or wireless communication device. Something interesting to note is that if interstate commerce is used in the extortion, it becomes a federal crime; whereas when extortion is committed within the boundaries of a state it is considered a felony.
Three types of cyber extortion
The paper’s authors look at each of the three types of cyber extortion: DDoS-based extortion, compromised data release and extortion, and ransomware.
DDoS attacks, in general, target companies that have business-critical websites, where denial-of-service will have a significant effect on a company’s ability to operate (impact revenue streams).
“One particularly well-known actor in this space is DD4BC, a group that was active between July 2014 and January 2016,” write the paper’s authors. “Their three-stage process was typical and is used by most DDoS-based extortion actors.”
The steps include:
- sending an email, in which a sum of money is demanded, to a targeted company or organization;
- demanding the victims pay a ransom, typically in Bitcoins, in order to avert the threat of a sustained DDoS attack; and
- in some instances, such as when targeting hosting providers, the threat actor adds additional pressure by using the negative publicity associated with service downtime as a threat.
SEE: FBI warns of rise in DDoS extortion cases (ZDNet)
Compromised data release and extortion
The threat of releasing potential damaging information about a person or organization to the public is not new. However, the ease at which data is being pilfered means there is a treasure trove of data from which digital extortionists can choose.
Holland, Tibbs, Tame, and Marriott mention a group called Rex Mundi has been successful in obtaining sensitive data and threatening to release it unless their demands are met. One of the group’s more famous cyber extortions was against Domino’s Pizza in June 2014 in Europe. ZDNet contributing writer Liam Tung writes that Rex Mundi had access to over half-a-million customer records, and demanded €30,000 ($40,000 USD) or the personal information would be posted online.
Ransomware is by far the most effective and damaging player of the three. As to why, the paper’s authors state, “Ransomware is an ever-evolving threat that requires more than awareness to address. It requires a combination of technical, process controls, and company-wide engagement—from employees, to executives, to IT security teams.”
Ransomware is any malicious software (malware) that restricts access to the computer system it has infected. Ransomware can prevent access to files, applications, and the operating system. Once the victim’s data and or computer is under the extortionist’s control, the installed malcode digitally demands financial restitution from the victim in order to regain control of the computer.
One concern not often mentioned is the lack of any guarantee the attacker will eventually release the affected resources.
The paper’s authors highlight the following five types of highly successful ransomware: Locky, Cerber, CryptoWall, SamSam, and CryptXXX. Their success is attributed to the inclusion of new techniques for delivering the malware, for encrypting the victim’s resources, and ensuring anonymity in the payment process.
Image: Digital Shadows
Targeting specific victims
Like all malware, the difficult part is to get the victim to do something so the malcode can be installed. Attackers dealing with ransomware are now borrowing a page from other malware developers and targeting specific individuals and organizations; this allows the attackers to fine tune their initial contact with the victim so as to look as official as possible. These are some examples.
- Locky delivers via spam emails purporting to include invoices relevant to the targeted organization.
- SamSam distributes through public-facing, vulnerable JBoss application servers, and like spear-phishing is one of the most targeted approaches to ransomware delivery.
- CryptoWall delivers via highly targeted spear-phishing emails that include the name, job title, and job-relevant information of the recipient.
How to avoid cyber extortion
DDoS and data-release extortion are difficult to mitigate after the attack is underway. The authors suggest, “Advanced knowledge of the typical demands of a threat actor and their capabilities is valuable to organizations that need to make complex decisions if presented with such a scenario.”
The authors point out that resolving ransomware threats is more complex. The best advice offered by Holland, Tibbs, Tame, and Marriott is to understand how ransomware is installed and eliminate those avenues by:
- raising staff awareness of how ransomware attacks occur and introducing technical and procedural controls to prevent infection; and
- developing ransomware planning procedures in the case of infection and ensuring backups are maintained and are separate from the network.