Organisations that suffer security incidents are sometimes said to be victims of “cyber extortion”, but it’s often unclear what exactly that phrase means.
Most of us understand what cyber attacks and online scams are, and many people are familiar with ransomware, which is a type of cyber attack in which people are blackmailed into handing over money. But how does this differ from extortion?
Put simply, cyber extortion is an umbrella term for a variety of cyber crimes. It can be used whenever criminal hackers force victims to do something after compromising their systems.
Ransomware is a type of cyber extortion, but there are in fact many techniques that crooks can use.
Why is cyber extortion so popular?
According to one report, 71% of organisations have been victim of cyber extortion, making it one of the most popular weapons in fraudsters’ arsenal.
It is also a surprisingly new technique. Until recently, criminal hackers had only a couple of ways of making money from their criminal ventures.
The simplest technique was to sell the information on the dark web to other cyber criminals. With individuals’ details on sale for as little as £10, this is a consistent but inefficient way of profiting from criminal activity.
The alternative was to use the stolen information directly for fraudulent purposes. For example, if a criminal hacker stole payment card data, they could make bogus payments on victims’ cards for goods or services.
If the attacker didn’t capture these details, they could use people’s names and contact details to send scam emails. These would be designed to steal login access to personal accounts, which they could use for fraudulent purposes. Alternatively, they could sell access to the account to other criminals on the dark web.
These are all reliable ways to make money from cyber crime, but they are also time-consuming and often rely on a supply chain of other fraudsters.
Then came the rise in ransomware. The malicious software encrypts victims’ systems and forces them to pay money in return for the safe return of the data.
With this technique, cyber criminals could receive payment directly for compromising systems rather than having to sell or use the stolen information. Enough organisations have been willing to negotiate with criminal hackers that extortion has become the main option for many criminal hacking groups.
Examples of cyber extortion
The most common type of cyber extortion is ransomware – to the extent that the terms are often used interchangeably.
Ransomware is a type of cyber attack in which criminal hackers plant malicious code on the victim’s systems, which cripples services and encrypts files. The attackers then demand a payment – typically paid in bitcoin – for a decryption key.
Organisations that fall victim to ransomware are often reluctant to state specifically that they were infected by the malware. This has given rise to the popularity of the term ‘cyber extortion’.
The term is probably preferred by victims because of the connotations associated with malware infection, which implies (correctly or not) that the victim had weak security protocols.
By contrast, the term ‘cyber extortion’ places the blame purely on the criminal hacker, with the victim portrayed as a victim of blackmail.
Meanwhile, there are other types of cyber extortion that don’t involve ransomware. Indeed, the concept of blackmailing organisations has become so popular that cyber criminals often employ it with traditional cyber attacks.
It’s particularly common when the intrusion relates to sensitive personal information. In one instance, the Finnish healthcare provider Vastaamo was hacked, with the extorters demanding 40 bitcoins (about £400,000 at the time) or else it would release the health data of 40,000 patients.
The information included patients’ full names, home addresses, social security numbers and therapists’ and doctors’ notes from each session.
Despite this, Vestaamo refused to negotiate, and the hackers then blackmailed the patients individually, although it’s unclear how many people, if any, paid up.
Another example of cyber extortion is ‘sextortion’ scams, in which criminal hackers target individuals, claiming to have footage of the victim watching or performing (often inappropriate) sexual acts. They then demand money not to release the evidence.
Although victims usually know that they have done nothing wrong, the scam works for the same reason that traditional phishing attacks do – people often panic under pressure. Victims of sextortion scams often assume that something could be taken out of context or the scammer could fabricate evidence.
The most notable example of sextortion targeted Jeff Bezos, the owner of Amazon and the Washington Post. It was allegedly perpetrated not by a cyber criminal gang but rival publication the National Enquirer.
In 2019, the Washington Post launched an investigation into the National Enquirer’s parent company after it published detailed about Bezos’ affair with Lauren Sanchez. Bezos later received a message threatening to release nude photographs of him unless he stated that the investigation revealed no evidence that the National Enquirer’s reporting was not politically motivated.
Bezos refused to comply with the request and posted the threat online. The nude photographs never materialised, indicating that, like many sextortion scams, it was an empty threat and the blackmailer had no compromising material.
Who is most vulnerable to cyber extortion?
Cyber extortion affects organisations of all sizes and across all sectors. There is only one thing that crooks consider when looking for a victim: how likely it is that they will pay up.
One factor that influences that is the cash reserves that an organisation has at its disposal. Large organisations have a higher revenue and will see a standard extortion sum – typically in the region of £30,000 – as a less significant loss than a small organisation with a lower revenue.
Although smaller organisations are often targeted (because criminals work by exploiting weaknesses wherever they can be found rather than seeking out specific targets), crooks always prefer those who can pay up promptly.
However, revenue isn’t the only factor that influences the likelihood of an organisation agreeing to a cyber criminal’s demands. With some types of cyber extortion, such as ransomware, the attack cripples the victim’s systems and severely affects their ability to operate.
In some cases, there will be growing pressure to get systems back online to prevent catastrophe. It’s why healthcare facilities are among the most frequently targeted by ransomware.
Criminal hackers know that ongoing disruption could cost lives, so many healthcare firms feel compelled to pay up. For the same reason, the education sector and public services are often targeted.
If schools close, children will miss classes and fall behind – plus, if the school shutters, students will be forced to stay at home and will need someone to look after them.
Meanwhile, disruptions to public services could affect the welfare of citizens, causing a backlash. Given that council members are publicly elected, decision makers will want to avoid disruption that could be held against them, and might be tempted to pay up and hope that their actions aren’t revealed.
How can cyber extortion be prevented?
The unfortunate reality is that it’s impossible to prevent cyber extortion attempts. In an increasingly digital world, organisations face too many vulnerabilities to remove them all, so there will always be the threat of cyber crime.
It’s why the figures for data breaches continue to soar each year, with IT Governance identifying more than 1,200 publicly disclosed incidents in 2021.
There are, of course, measures you can implement to reduce the risk of falling victim. A robust information security management system is an essential start, while an assortment of technical defences – such as threat detection and data encryption – should be complemented with staff awareness training to help employees avoid costly mistakes.
Meanwhile, there are steps you can take to protect you in the event that you are extorted. First, you should ask yourself whether there is a legitimate basis for the blackmail attempt. If the attacker claims to have footage or other compromising data, are you sure that this even exists?
Likewise, if you fall victim to ransomware, you should check whether your systems are in fact encrypted. With some attacks, it’s possible to decrypt your files without paying the criminals for a decryption key.
In other cases, the attacker uses a wiper, which deletes the files rather than encrypting them. Paying the ransom therefore won’t help, as the information is already gone.
When it comes to traditional ransomware, your best defence is to prepare for the inevitability of an attack. That means creating offline backups of your sensitive data and ensuring that they are updated regularly. The more important the information, and the more frequently it is used, the more often it should be backed up.
When backing up data, you must understand the difference between offline backup and what is often thought of when referring to backups, which are simply the automatic overwriting of saved files.
Although overwriting prevents progress being lost in the event that a system crashes, it won’t help with ransomware attacks, because anything stored on an Internet-connected device can be encrypted.
Offline backups involve a second set of sensitive information that is disconnected from the files on an individual computer or server. Doing so ensures that, even after your systems have been encrypted, you have safe versions of the data that you can use.
You are not forced to pay off the attackers in the hope that they will stick to their word. Instead, you can wipe your infected systems and rebuild them in a safe environment.
Another essential defence mechanism in the fight against cyber extortion is staff awareness training. Ransomware often makes its way onto organisations’ systems via phishing emails, with employees being tricked into downloading a malicious attachment.
By educating your staff on the threat of these attacks, you can greatly reduce the likelihood of falling victim.
And with GRC eLearning’s Ransomware Staff Awareness E-learning Course, you will learn everything you need to stay safe.
This 45-minute training course educates your team on the threat of ransomware and the steps they must take to protect their organisation.
It includes a section dedicated to the threat of phishing and the way cyber criminals use scam emails to infect organisation. With this online course, you can be confident that your employees can spot a phishing email, respond appropriately and keep your organisation protected.