In 2020, Travelex—the world's largest currency dealer at the time—was caught in the middle of a public and devastating cyber extortion campaign. Attackers exploited a vulnerability in the Pulse Connect Secure VPN (which had a patch available) to extract data, for which they demanded payment of a $6 million ransom in exchange for its release.
Despite being a large organization, Travelex suffered due to the technological and operational impact of the attack, and ultimately paid their attackers a sum of $2.3 million. This attack led to major financial challenges and loss of credibility for the company, which was ultimately put up for sale in the same year.
Cyber extortion has long been a lucrative business for cyber criminals and threat actors. A multi-million-dollar cybercrime industry, cyber extortion has been gaining traction over the past few years, and 2021 doesn't see it slowing down. While it's frequently discussed, we wanted to take a deep dive into cyber extortion and explore its definition, tactics, popular real-world examples and sure-fire ways to protect your organization from this highly ruinous type of cyber crime.
- Defining cyber extortion
- Types of cyber extortion
- Popular and recent cyber extortion cases
- How to prevent cyber extortion
Defining cyber extortion
"Conventional" cybercriminals typically seek out information, such as financial and personally identifiable information, that they can then sell directly on the black market. When it comes to cyber extortion, the (financial) goal remains the same, but the full picture is a bit different.
While the stolen data in our first scenario has a clear (black) market value, cyber extortion involves information with inherent value to its owner. By threatening to release it publicly, render it unusable or simply destroy it, cyber criminals can get the financial reward they're looking for by demanding a ransom to stop the attack.
Cyber extortion is one of the fastest growing types of cyber crime in which cyber criminals demand payment or other goods. In doing so, they may threaten malicious activity against the victim that includes data compromise, data theft, release of sensitive data to the public, infecting a device or a network with malware, shutting down systems or executing a denial-of-service attack.
Types of cyber extortion
There are several ways in which malicious actors can carry out cyber extortion against their targets. In order for cyber extortion to be possible, it needs to begin with malicious actors gaining leverage—getting access to the target's system and data. This can be done through several methods.
Cyber criminals can use phishing emails, ad scams, infected websites and the like to target a wide range of victims and act opportunistically, by waiting for someone to take the bait; or they can be targeted, which is the more usual route taken when going against organizations.
Cyber extortion can arrive as the consequence of several different cyber risks and threats:
Cyber extortion and ransomware
In 2020, ransomware attacks have grown by 150%, with the average extortion amount doubling from the year before. Ransomware itself is a type of malware that infects a device or a network, encrypts files on it or denies the owner access, with a demand for ransom in return. Once ransomware is delivered, usually via email attachments, download links or ads, and the device is infected, the files on it are encrypted with a message that states the ransom amount required for the attackers to provide the decryption key.
What makes ransomware attacks particularly dangerous is the fact that if you don't pay the ransom, you run a high risk that your files will be deleted forever. And if you do pay the ransom, who can guarantee that the cyber criminals would return your access? They are criminals, after all. Additionally, cyber criminals have a known tactic of asking for small amounts of ransoms and do, in fact, give the decryption keys; they can earn huge profits this way. Not to mention that once you're labeled as a victim who will pay the ransom, chances are likely to increase that you'll be attacked again.
One of the more recent incidents of this type was the Equinix ransomware attack, perpetrated by the infamous Netwalker ransomware.
A DDoS attack, or distributed denial-of-service attack, involves attackers employing a large network of systems to flood a target with traffic, to render the target's website, server, application, network or even entire system unusable. Typically, DDoS attackers rely on botnets, a large collection of centrally-controlled infected systems that are harvested through the discovery of vulnerable systems that they infect with phishing attacks, malvertising or other techniques. Attackers can also rent botnets from actors who build them, which is an increasingly popular method as it simplifies their process.
When it comes to using DDoS attacks as a way to carry out cyber extortion, known as rDDoS (ransom DDoS), malicious actors can execute an attack and demand a ransom from their victim in order to stop it, and make the attacked system operational again. Additionally, attackers can first use scare tactics to threaten their victims with a DDoS attack if they don’t pay the ransom, and not even follow through.
Blackmail, but in cyberspace. Just as with "regular" blackmail, cyber blackmail involves cyber criminals gaining access and exfiltrating valuable data, such as PII (personally identifiable information) of customers or clients, or intellectual data, and threatening to release it to the public unless a ransom is paid.
Cyber blackmail is an especially scary form of cyber extortion as it not only demands a ransom that will inevitably lead to financial losses for the target, but can also cause reputational damage if the data is released. We often see cyber blackmail in the entertainment industry, with attackers gaining access to unreleased works—such as in the case of Game of Thrones, when attackers threatened to release unaired episodes if HBO didn't pay $5.5 million in Bitcoin.
In some cases, cyber criminals won't even have access to the valuable data they're threatening their targets with releasing. They may merely be relying on social engineering and human psychology to scare victims into paying the ransom. Over the past few years, sextortion scams that claim that the victim has been caught watching adult content—and that the evidence will be shared with their employer and family if they don't pay up—have been gaining popularity in the cybercrime space. While usually fake, we can see how someone without a lot of knowledge about these scams can be highly susceptible to them.
While ransomware is the most common form of carrying out cyber extortion, compromising databases and using data from them is an increasingly popular method as well. Attackers can compromise databases such as MongoDB, CouchDB, Hadoop, MySQL, Elasticsearch and others, exfiltrate data from them and ask for money in order to return the data.
They can hack weak databases by exploiting unpatched vulnerabilities or perform brute-forcing on databases that haven't changed their default admin passwords. Once they're in the database and obtain data from it, the attackers create a new table within the database that includes a contact, payment address and a payment demand.
There is a recent campaign dating back to January 2020 called PLEASE_READ_ME that targets MySQL database servers. It uses the simple tactic of exploiting weak credentials on internet-facing MySQL servers, with attackers leaving a backdoor on the database to indulge their persistence and allow them re-access to the network.
Popular and recent cyber extortion cases
We've mentioned a few cases of cyber extortion such as Travelex, HBO and PLEASE_READ_ME, but there are many more, as cyber extortion is an easy and popular way for attackers to reach their goals. Here are a few other popular cyber extortion cases that have made the headlines recently:
In the summer of 2020, a hacker uploaded ransom notes on over 22,000 exposed MongoDB databases, a number that accounts for almost 47% of all MongoDB databases accessible online. Using an automated script, the attacker scanned for misconfigured MongoDB databases, completely wiping their content and leaving a ransom note, demanding a 0.015 Bitcoin payment. With a deadline of only 48 hours, the malicious actor threatened to leak the data and contact the victim's local GDPR authority to report the data leak.
Some experts claimed that the ransom request was actually there to help attackers learn which of the databases actually hold valuable data, as many MongoDB databases out there don't really hold any. And even if the victims did fulfill the ransom demand, not everyone got their data back. We have yet to see the complete fallout of these cyber extortion schemes, but attacks on MongoDB databases have been frequent, observed as early as 2016.
Lazarus Bear Armada
In August 2020, a prolific threat actor initiated a global campaign of DDoS extortion directed towards financial targets. These ranged from regional banks, stock exchanges and currency exchanges to healthcare providers, insurance providers, personal care product manufacturers, regional energy providers, and IT-related vendors.
The attacks were initiated through DDoS attacks that were followed by an email extortion demand via Bitcoin. The demands stated that there would be follow-up attacks if the extortion payments weren't transmitted to the attacker within a set period of time. In some cases, the attackers merely moved on to the next target if the ransom wasn't paid; in others, the attackers did persist in attacking the targets. The threat actor behind this campaign claimed to be affiliated with other, well-known attack groups such as "Fancy Bear", "Lazarus Group" and "Armada Collective", hence the name of the campaign.
In 2015, a group calling themselves "The Impact Team" stole user data from Ashley Madison, a website designed to enable extramarital affairs. The cybercrime group took personal information from the site's user base and threatened to release the data if Ashley Madison wasn't immediately shut down.
A few short weeks later, the group leaked more than 60 gigabytes of stolen data, including user details. The website had a policy of not deleting users' personal information, which included real names, addresses, search history and even credit card transaction records. "The Impact Team" criticized the company's bad ethics, and neither side backed off. This extortion attack on Ashley Madison lives on in memory as one of the most notorious cyber attacks in history, costing the company nearly $30 million in fines and the need for vastly improved security measures.
The Nokia cyber extortion case dates all the way back to 2007, with news breaking out about a blackmail incident that led to Nokia paying millions of euros in extortion payments. The famous phone manufacturer was being held hostage by cyber criminals who stole an encryption key used in Nokia's Symbian operating system. Under the threat of releasing the encryption key to the public if Nokia didn't meet the demands, the scenario that followed was something out of a movie.
Nokia actually left millions of euros in a parking lot with the hope of authorities tracing the attackers during the pickup, but to no avail. After more than a decade following the attack and resulting cyber crime investigation, no motive or perpetrators have been found.
How to prevent cyber extortion
Now that we have an understanding of the consequences and fallout cyber extortion can bring, let's see how you can protect your organization:
Apply all available security patches
As we've seen in these real-world examples, not applying security patches for known vulnerabilities can lead to attackers exploiting those vulnerabilities and gaining access to your systems and networks. Make sure that your organization has a patch management system in place that will ensure all patches are applied in a timely manner. Ensure that no holes are left for attackers to scan and leverage as a backdoor.
Enforce a strong password policy
Especially in the case of database ransom used for cyber extortion, leaving default administrator usernames and passwords unchecked is one of the easiest ways you can fall victim to cyber criminals' advances. Make sure that all default passwords are changed, and enforce throughout the entire organization a strong password policy that not only dictates the use of complex passwords which are not reused across accounts, but also changed regularly. Attention in this area can go a long way towards preventing cyber extortion.
Backup all data and systems
In the worst-case scenario of falling victim to cyber extortion through ransomware, having all of your sensitive data and systems backed up can help ensure that you recover more easily and quickly from an attack. Having everything backed up can allow organizations to reduce the amount of downtime needed to recover from an attack, and can save not only money, but reputations as well, especially if the threat is data deletion or compromise.
Maintain a healthy cybersecurity culture
Your people are your most valuable asset, but can also be your weakest link. That's why it's imperative to create and maintain a strong cybersecurity culture in your organization by training staff to recognize common signs of phishing, online scans, safe browsing, and indicators of infection; as well as by providing them with details on how to act and to whom they should report when they suspect they are under attack.
All of these considerations are crucial in turning them, your weakest link, into your strongest defense. Human psychology and susceptibility can't be solved by deploying sophisticated security tools, so investing in an engaging and continuous cybersecurity culture is a necessary part of maintaining resilient cyber hygiene.
Discover risks before they become threats
The fewer risks you run in your digital infrastructure, the fewer threats the future holds for your organization. And fewer threats reduces your chances of falling victim to cyber extortion. So in order to know what you're protecting, having a clear overview of your entire attack surface, sensitive data and exposed services can help you detect inherent risks.
With ASI, you'll be able to detect any risks before cyber criminals do, such as database open ports, self-signed certificates, and exposed staging and dev subdomains that can become real threats. All of this in less than 10 seconds.
Don’t miss the opportunity to see the complete picture of your digital risks by taking advantage of the ASI Free account—a valuable offer that will provide you with visibility over all of your assets.
Regardless of the threat that will lead to it, cyber extortion will remain a persistent and growing threat as long as there is valuable data and systems to hold under ransom. First step in combating any risk is raising awareness of the tactics, types and actors behind it. Ultimately, the best step if your organization finds itself under a threat of cyber extortion is to contact the authorities because cyber crime is exactly that — crime, and responsible authorities should be there to help guide you during mitigation and recovery. And as we've learned, covering up a scandal will not only lead to financial losses, but reputational as well.