Table of Contents
Cyber extortion is a nefarious cybercrime where threat actors exploit security vulnerabilities to breach digital security systems and gain unauthorised access to valuable assets. These assets range from confidential data and intellectual property to financial currency and critical infrastructure systems.
Once in possession of these assets, cybercriminals demand a ransom from their victims. Victims are left in a precarious situation where they must pay to prevent the release, alteration, or destruction of their assets or as a means to regain ownership.
There are two predominant forms of cyber extortion: ransomware and Distributed Denial of Service (DDoS) attacks. Ransomware involves malware that encrypts a victim’s data, rendering it inaccessible until they pay the ransom. On the other hand, DDoS attacks flood a victim’s network, service, or system with internet traffic, causing a shutdown. At that point, attackers demand a ransom to stop the attack.
Cyber extortion inflicts significant financial and reputational damage on its victims, prompting organisations and individuals to employ cybersecurity measures and policies to mitigate this escalating threat. While the definition of cyber extortion can overlap with other forms of cyber-attacks, as indicated above, it’s important to unpack how it works, how it presents itself, and how to prevent it.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
How Cyber Extortion Works
Cyber extortion operates in a particular manner that varies based on the tactics, techniques, and procedures employed by the threat actors. However, several general steps typically characterise the process.
- Infiltration: Cyber extortion begins with the initial compromise of a victim’s network, system, or data, usually achieved through various infiltration methods. Cybercriminals may use phishing techniques to trick victims into installing malicious software or disclosing sensitive information. They may also exploit vulnerabilities in an organisation’s software, hardware, or human factors to gain unauthorised access.
- Installation and Propagation: Once inside a system, the attackers often install malware, such as ransomware, which encrypts the victim’s data. Some malware is designed to spread throughout the network, infecting as many devices and systems as possible to maximise the impact.
- Lockdown and Extortion: With control of the victim’s systems or data, the cybercriminals then make their move. In a ransomware attack, victims realise their data has been encrypted, and they can no longer access it. Then they receive a ransom note demanding payment (usually in a cryptocurrency like Bitcoin) for the decryption key. In a DDoS attack, the cybercriminals will flood the victim’s network with overwhelming traffic, rendering it unavailable. Here, the ransom demand is for the cessation of the attack.
- Payout: If the victims choose to pay the ransom (not generally advised by law enforcement agencies as it fuels the criminal enterprise), the attackers should provide the means to recover the data or restore the systems. However, there’s no guarantee that cybercriminals will keep their end of the bargain.
- Persistence and Repeat: In many cases, attackers maintain a presence within the victim’s system for potential future attacks or to steal more data to sell or use for other malicious purposes. The attacker’s continued presence further underscores the importance of a thorough incident response and system clean-up after an attack.
Each cyber extortion case is unique in its specifics, but this general outline provides a basic understanding of how schemes are carried out.
Types of Cyber Extortion
Cyber extortion presents itself in various forms with unique methods and implications. Understanding the common types of cyber extortion not only equips individuals and organisations with the necessary knowledge to identify potential threats but also helps devise effective countermeasures.
Ransomware Attacks
In a ransomware attack, cybercriminals infiltrate a network and encrypt the victim’s data, rendering it inaccessible. They subsequently demand a ransom, typically paid in untraceable cryptocurrencies, for the decryption key to unlock the data. High-profile examples include the WannaCry and Petya attacks, which affected thousands of systems worldwide.
Distributed Denial of Service (DDoS) Extortion
This form of cyber extortion involves overwhelming a target’s website or network with a flood of internet traffic, effectively causing a shutdown. Then the attacker demands payment to stop the attack. Some notorious groups involved in DDoS extortion include Fancy Lazarus and DD4BC.
Doxing Extortion
In doxing cases, threat actors obtain sensitive, confidential, or embarrassing information about a victim—such as personal photos, emails, or customer data—and threaten to publicly disclose this information unless a ransom is paid. This form of extortion leverages the potential reputational damage to force victims into complying with the extortionists’ demands.
Data Breach Extortion
Like doxing, data breach extortion involves the unauthorised access and exfiltration of sensitive data, but typically at a larger scale, often involving corporations or large entities. Attackers then threaten to release or sell the stolen data unless a ransom is paid. Such data may include proprietary business information, customer data, or any other sensitive information.
Cyber Sex Extortion (Sextortion)
In cases of “sextortion”, perpetrators trick victims into providing explicit photos or video content, or they might hack the victim’s device to obtain such materials. They then demand money under the threat of sharing explicit content with the victim’s contacts or on the internet.
Software Vulnerability Extortion
Here, cybercriminals identify vulnerabilities in a company’s software and demand a ransom for not exposing the vulnerability. Thus, they extort the victim with potential harm from other malicious actors exploiting the vulnerability.
Each of these forms of cyber extortion has unique tactics and targets, requiring specific prevention and mitigation strategies. But they all share a common aim: to leverage access, control, or information in a way that pressures victims into paying a ransom.
Cyber Extortion vs. Ransomware: Key Differences
The terms “cyber extortion” and “ransomware” are often used interchangeably due to their connection within the realm of cybersecurity. Yet, it’s crucial to understand that these two interconnected concepts are not interchangeable.
Cyber extortion is an umbrella term encompassing various forms of digital blackmail, where perpetrators demand ransom from the victims to prevent harm or disruption. The harm threatened could be data leakage, system unavailability, exposure to confidential information, etc. Cyber extortion methods include ransomware attacks, DDoS attacks, doxing, and sextortion, among others.
Ransomware is a specific type of malware and a subset of cyber extortion. In a ransomware attack, malicious software is installed on the victim’s system—often through phishing tactics or exploiting system vulnerabilities. This malware encrypts the victim’s data, rendering it inaccessible. The attackers then promise to provide the decryption key in exchange for payment so the victim can regain access to their data.
In essence, ransomware is a tool or technique that cyber criminals use and represents one of the many strategies under the broader cyber extortion umbrella. While all ransomware attacks can be considered a form of cyber extortion, not all cyber extortion incidents involve ransomware.
Real-World Examples of Cyber Extortion
Cyber extortion comes in many forms, and countless real-world cases have manifested over the years. Some of the most iconic cases include:
- Colonial Pipeline Attack (2021): DarkSide, a cybercrime group, perpetrated a ransomware attack on the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S. The attack led to the shutdown of the pipeline, sparking widespread fuel shortages and price hikes. This ransomware attack yielded nearly $5 million in ransom paid by Colonial Pipeline to regain control over their systems.
- Garmin Ransomware Attack (2020): In July 2020, Garmin, a multinational technology company, suffered a ransomware attack that left many of its connected services offline for several days. Reports suggest the company may have paid a multimillion-dollar ransom to resolve the issue, although Garmin has not officially confirmed the payment.
- Travelex Ransomware Attack (2020): The foreign exchange company Travelex fell victim to a ransomware attack on New Year’s Eve 2019, which left its services offline for weeks. The attackers demanded $6 million in ransom. Travelex reportedly paid $2.3 million in Bitcoin to regain access to its computer systems.
- Atlanta Ransomware Attack (2018): In March 2018, Atlanta endured a ransomware attack that crippled several critical systems, affecting various city services. The attackers demanded a $51,000 ransom, which the city reportedly did not pay. However, the recovery and mitigation costs following the attack were estimated to be over $2.6 million.
- Sony Pictures Hack (2014): A group calling themselves the “Guardians of Peace” gained access to Sony’s network and stole a vast amount of sensitive data, including unreleased films, emails, and data. They threatened to release this information unless Sony pulled the release of a controversial film called “The Interview”, in which the assassination of North Korea’s leader is depicted. While there was no explicit demand for money, the Sony cyber attack resulted in an estimated $15 million just in the immediate clean-up, not to mention the damage to Sony’s reputation.
Each case illustrates the significant financial and operational impact of cyber extortion. However, note that the hidden costs of these incidents are often much higher than the ransoms paid, including the costs of system downtime, incident response, reputation damage, and potential regulatory penalties.
Paying Demands: To Pay or Not to Pay
In the face of an attack, cyber extortion victims often grapple with the decision to pay the ransom or not. This choice is complex and fraught with both practical and ethical implications.
The FBI and many cybersecurity experts generally advise against paying the ransom. There are several reasons for this stance. First, payment doesn’t guarantee the restoration of data or systems; there are numerous instances where victims paid the demanded ransom, only for the cyber-attacker to fail to provide the promised decryption keys or to stop the attack. Choosing to make the payment may mark a target as a “willing payer”, making the victim a more attractive target for future attacks. Also, even if the attackers provide a decryption key, there’s no assurance they have completely removed their access to the victim’s system, leaving the potential for future attacks.
On the other hand, for some victims, paying the ransom might seem like the quickest and most cost-effective way to restore operations, particularly when considering the potential costs of extended downtime, data loss, reputational damage, and regulatory penalties. Organisations must weigh these factors, ideally with the advice of cybersecurity professionals and law enforcement agencies.
Is Cyber Insurance Worth It?
Cyber insurance offers a safeguard for organisations vulnerable to aggressive cyber extortion attacks. It aids in mitigating the financial impact of a cyber-attack by offsetting recovery costs, including incident response, data recovery, legal fees, and, in some cases, even ransom payments.
It’s worth noting that while some insurance policies may cover ransom payments, organisations should be aware that regulatory bodies may impose penalties for paying a ransom to certain entities due to sanctions regulations. Additionally, organisations must fully understand their policy coverage, as all policies are not created equal.
How to Protect Your Business Against Cyber Extortion
Organisations of all sizes must be vigilant in guarding against cyber extortion attacks. Here are several strategies and tools to help safeguard your business:
- Implement Robust Security Measures: Employ a multilayered security approach. This includes firewall protection for your internet connection, encryption for sensitive business data, multi-factor authentication for accounts, and secure, unique passwords for all users.
- Regular Backups: Regularly back up all data and system configurations. Keep copies of your backups offline or in the cloud to ensure an attack can’t compromise them on your network. Test your backups regularly and implement a data retention policy to keep your team on track.
- Patch Management: Keep all software, operating systems, and applications updated with routine patch management. Typically, cybercriminals target known vulnerabilities in software, and timely patching can prevent many of these attacks.
- Employee Training: Your employees are a crucial line of defence against cyber threats. Regular training to recognise and avoid phishing attempts, suspicious downloads, and unsafe websites can significantly reduce the risk of an attack.
- Incident Response Plan: Create a comprehensive incident response plan that outlines the actionable steps in the event of a cyber-attack. The response plan should include roles and responsibilities, communication strategies, and recovery measures. A well-structured plan can limit the damage and reduce recovery time and costs.
- Engage Cybersecurity Professionals: If possible, hire or consult with cybersecurity professionals. They can conduct a thorough threat assessment, recommend appropriate security measures, and help in the event of an incident.
- Cyber Insurance: As previously discussed, consider cyber insurance as part of your risk management strategy to provide financial protection and access to incident response resources in the event of an attack.
By implementing these strategies, organisations can significantly reduce their risk of being a victim of cyber extortion. The key is to be proactive, prioritise cybersecurity, and react immediately and effectively if an incident does occur. Cyber threats are continually evolving, and so too should your defences.
How Proofpoint Can Help
Proofpoint offers a multi-faceted approach to cybersecurity that addresses the technical and human elements of the threat landscape. With its focus on people-centric security, Proofpoint addresses the human element of cybersecurity, typically the weakest link in an organisation’s security posture.
Proofpoint’s Advanced Threat Protection intercepts and neutralises threats before they can reach users, effectively preventing ransomware and other malware from infiltrating your systems. The solution leverages machine learning and sandboxing techniques to detect and block known and unknown threats.
Furthermore, Proofpoint’s Email Protection and Targeted Attack Protection solutions help guard against phishing and other email-based threats, the most common vectors for ransomware and other forms of cyber extortion. These solutions use advanced analytics to identify and quarantine malicious emails, reducing the chance that users unwittingly activate malicious payloads.
Proofpoint’s Security Awareness Training solutions can play a critical role in educating employees about cyber threats and teaching them to recognise and respond to various attack strategies, including those used in cyber extortion. And in the unfortunate event of a cyber extortion incident, Proofpoint’s Threat Response services provide valuable assistance in managing and mitigating the attack, helping to reduce the recovery time and costs. Assemble a comprehensive cybersecurity solution for your organisation and contact Proofpoint.