What Is Cyber Extortion?

Cyber extortion is a nefarious cybercrime where threat actors exploit security vulnerabilities to breach digital security systems and gain unauthorised access to valuable assets. These assets range from confidential data and intellectual property to financial currency and critical infrastructure systems.

Once in possession of these assets, cybercriminals demand a ransom from their victims. Victims are left in a precarious situation where they must pay to prevent the release, alteration, or destruction of their assets or as a means to regain ownership.

There are two predominant forms of cyber extortion: ransomware and Distributed Denial of Service (DDoS) attacks. Ransomware involves malware that encrypts a victim’s data, rendering it inaccessible until they pay the ransom. On the other hand, DDoS attacks flood a victim’s network, service, or system with internet traffic, causing a shutdown. At that point, attackers demand a ransom to stop the attack.

Cyber extortion inflicts significant financial and reputational damage on its victims, prompting organisations and individuals to employ cybersecurity measures and policies to mitigate this escalating threat. While the definition of cyber extortion can overlap with other forms of cyber-attacks, as indicated above, it’s important to unpack how it works, how it presents itself, and how to prevent it.

Cyber extortion operates in a particular manner that varies based on the tactics, techniques, and procedures employed by the threat actors. However, several general steps typically characterise the process.

1. Infiltration: Cyber extortion begins with the initial compromise of a victim’s network, system, or data, usually achieved through various infiltration methods. Cybercriminals may use phishing techniques to trick victims into installing malicious software or disclosing sensitive information. They may also exploit vulnerabilities in an organisation’s software, hardware, or human factors to gain unauthorised access.
2. Installation and Propagation: Once inside a system, the attackers often install malware, such as ransomware, which encrypts the victim’s data. Some malware is designed to spread throughout the network, infecting as many devices and systems as possible to maximise the impact.
3. Lockdown and Extortion: With control of the victim’s systems or data, the cybercriminals then make their move. In a ransomware attack, victims realise their data has been encrypted, and they can no longer access it. Then they receive a ransom note demanding payment (usually in a cryptocurrency like Bitcoin) for the decryption key. In a DDoS attack, the cybercriminals will flood the victim’s network with overwhelming traffic, rendering it unavailable. Here, the ransom demand is for the cessation of the attack.
4. Payout: If the victims choose to pay the ransom (not generally advised by law enforcement agencies as it fuels the criminal enterprise), the attackers should provide the means to recover the data or restore the systems. However, there’s no guarantee that cybercriminals will keep their end of the bargain.
5. Persistence and Repeat: In many cases, attackers maintain a presence within the victim’s system for potential future attacks or to steal more data to sell or use for other malicious purposes. The attacker’s continued presence further underscores the importance of a thorough incident response and system clean-up after an attack.

Each cyber extortion case is unique in its specifics, but this general outline provides a basic understanding of how schemes are carried out.

Cyber extortion presents itself in various forms with unique methods and implications. Understanding the common types of cyber extortion not only equips individuals and organisations with the necessary knowledge to identify potential threats but also helps devise effective countermeasures.

Ransomware Attacks

In a ransomware attack, cybercriminals infiltrate a network and encrypt the victim’s data, rendering it inaccessible. They subsequently demand a ransom, typically paid in untraceable cryptocurrencies, for the decryption key to unlock the data. High-profile examples include the WannaCry and Petya attacks, which affected thousands of systems worldwide.

Distributed Denial of Service (DDoS) Extortion

This form of cyber extortion involves overwhelming a target’s website or network with a flood of internet traffic, effectively causing a shutdown. Then the attacker demands payment to stop the attack. Some notorious groups involved in DDoS extortion include Fancy Lazarus and DD4BC.

Doxing Extortion

In doxing cases, threat actors obtain sensitive, confidential, or embarrassing information about a victim—such as personal photos, emails, or customer data—and threaten to publicly disclose this information unless a ransom is paid. This form of extortion leverages the potential reputational damage to force victims into complying with the extortionists’ demands.

Data Breach Extortion

Like doxing, data breach extortion involves the unauthorised access and exfiltration of sensitive data, but typically at a larger scale, often involving corporations or large entities. Attackers then threaten to release or sell the stolen data unless a ransom is paid. Such data may include proprietary business information, customer data, or any other sensitive information.

Cyber Sex Extortion (Sextortion)

In cases of “sextortion”, perpetrators trick victims into providing explicit photos or video content, or they might hack the victim’s device to obtain such materials. They then demand money under the threat of sharing explicit content with the victim’s contacts or on the internet.

Software Vulnerability Extortion

Here, cybercriminals identify vulnerabilities in a company’s software and demand a ransom for not exposing the vulnerability. Thus, they extort the victim with potential harm from other malicious actors exploiting the vulnerability.

Each of these forms of cyber extortion has unique tactics and targets, requiring specific prevention and mitigation strategies. But they all share a common aim: to leverage access, control, or information in a way that pressures victims into paying a ransom.

The terms “cyber extortion” and “ransomware” are often used interchangeably due to their connection within the realm of cybersecurity. Yet, it’s crucial to understand that these two interconnected concepts are not interchangeable.

Cyber extortion is an umbrella term encompassing various forms of digital blackmail, where perpetrators demand ransom from the victims to prevent harm or disruption. The harm threatened could be data leakage, system unavailability, exposure to confidential information, etc. Cyber extortion methods include ransomware attacks, DDoS attacks, doxing, and sextortion, among others.

Ransomware is a specific type of malware and a subset of cyber extortion. In a ransomware attack, malicious software is installed on the victim’s system—often through phishing tactics or exploiting system vulnerabilities. This malware encrypts the victim’s data, rendering it inaccessible. The attackers then promise to provide the decryption key in exchange for payment so the victim can regain access to their data.

In essence, ransomware is a tool or technique that cyber criminals use and represents one of the many strategies under the broader cyber extortion umbrella. While all ransomware attacks can be considered a form of cyber extortion, not all cyber extortion incidents involve ransomware.

Each case illustrates the significant financial and operational impact of cyber extortion. However, note that the hidden costs of these incidents are often much higher than the ransoms paid, including the costs of system downtime, incident response, reputation damage, and potential regulatory penalties.

In the face of an attack, cyber extortion victims often grapple with the decision to pay the ransom or not. This choice is complex and fraught with both practical and ethical implications.

The FBI and many cybersecurity experts generally advise against paying the ransom. There are several reasons for this stance. First, payment doesn’t guarantee the restoration of data or systems; there are numerous instances where victims paid the demanded ransom, only for the cyber-attacker to fail to provide the promised decryption keys or to stop the attack. Choosing to make the payment may mark a target as a “willing payer”, making the victim a more attractive target for future attacks. Also, even if the attackers provide a decryption key, there’s no assurance they have completely removed their access to the victim’s system, leaving the potential for future attacks.

On the other hand, for some victims, paying the ransom might seem like the quickest and most cost-effective way to restore operations, particularly when considering the potential costs of extended downtime, data loss, reputational damage, and regulatory penalties. Organisations must weigh these factors, ideally with the advice of cybersecurity professionals and law enforcement agencies.

Is Cyber Insurance Worth It?

Cyber insurance offers a safeguard for organisations vulnerable to aggressive cyber extortion attacks. It aids in mitigating the financial impact of a cyber-attack by offsetting recovery costs, including incident response, data recovery, legal fees, and, in some cases, even ransom payments.

It’s worth noting that while some insurance policies may cover ransom payments, organisations should be aware that regulatory bodies may impose penalties for paying a ransom to certain entities due to sanctions regulations. Additionally, organisations must fully understand their policy coverage, as all policies are not created equal.

Organisations of all sizes must be vigilant in guarding against cyber extortion attacks. Here are several strategies and tools to help safeguard your business:

1. Implement Robust Security Measures: Employ a multilayered security approach. This includes firewall protection for your internet connection, encryption for sensitive business data, multi-factor authentication for accounts, and secure, unique passwords for all users.
2. Regular Backups: Regularly back up all data and system configurations. Keep copies of your backups offline or in the cloud to ensure an attack can’t compromise them on your network. Test your backups regularly and implement a data retention policy to keep your team on track.
3. Patch Management: Keep all software, operating systems, and applications updated with routine patch management. Typically, cybercriminals target known vulnerabilities in software, and timely patching can prevent many of these attacks.
4. Employee Training: Your employees are a crucial line of defence against cyber threats. Regular training to recognise and avoid phishing attempts, suspicious downloads, and unsafe websites can significantly reduce the risk of an attack.
5. Incident Response Plan: Create a comprehensive incident response plan that outlines the actionable steps in the event of a cyber-attack. The response plan should include roles and responsibilities, communication strategies, and recovery measures. A well-structured plan can limit the damage and reduce recovery time and costs.
6. Engage Cybersecurity Professionals: If possible, hire or consult with cybersecurity professionals. They can conduct a thorough threat assessment, recommend appropriate security measures, and help in the event of an incident.
7. Cyber Insurance: As previously discussed, consider cyber insurance as part of your risk management strategy to provide financial protection and access to incident response resources in the event of an attack.

By implementing these strategies, organisations can significantly reduce their risk of being a victim of cyber extortion. The key is to be proactive, prioritise cybersecurity, and react immediately and effectively if an incident does occur. Cyber threats are continually evolving, and so too should your defences.

Proofpoint offers a multi-faceted approach to cybersecurity that addresses the technical and human elements of the threat landscape. With its focus on people-centric security, Proofpoint addresses the human element of cybersecurity, typically the weakest link in an organisation’s security posture.

Proofpoint’s Advanced Threat Protection intercepts and neutralises threats before they can reach users, effectively preventing ransomware and other malware from infiltrating your systems. The solution leverages machine learning and sandboxing techniques to detect and block known and unknown threats.

Furthermore, Proofpoint’s Email Protection and Targeted Attack Protection solutions help guard against phishing and other email-based threats, the most common vectors for ransomware and other forms of cyber extortion. These solutions use advanced analytics to identify and quarantine malicious emails, reducing the chance that users unwittingly activate malicious payloads.

Proofpoint’s Security Awareness Training solutions can play a critical role in educating employees about cyber threats and teaching them to recognise and respond to various attack strategies, including those used in cyber extortion. And in the unfortunate event of a cyber extortion incident, Proofpoint’s Threat Response services provide valuable assistance in managing and mitigating the attack, helping to reduce the recovery time and costs. Assemble a comprehensive cybersecurity solution for your organisation and contact Proofpoint.