What is cyber extortion?
Cyber extortion is a crime involving an attack or threat of an attack coupled with a demand for money or some other response in return for stopping or remediating the attack.
Cyber extortion attacks are about gaining access to an organization's systems and identifying points of weakness or targets of value. The two most common variants of cyber extortion are ransomware and distributed denial of service (DDoS) attacks.
During a ransomware attack, cybercriminals demand payment through malicious activity. They might also use a DDoS attack to steal sensitive corporate information and threaten to make it public.
How does cyber extortion work?
Cyber extortion occurs when the attacker gains access to sensitive data on a victim's computer network or system through methods such as ad scams, phishing emails, infected websites and other techniques. The attacker might not be directly responsible for executing the attack. They have the option to use ransomware as a service or cybercrime as a service, where they hire skilled cyber attackers to perform the task on their behalf.
In a ransomware attack, a blackmailer encrypts the victim's files and offers to decrypt them only after payment is made, usually in the form of cryptocurrencies such as Bitcoin. In a DDoS attack, the cybercriminal typically threatens to carry out an attack if payment isn't made. The threat is suspended once the victim pays the attacker, but if the ransom isn't paid, a DDoS attack is conducted.
Ransomware attacks can be automated through malware distributed in emails, infected websites or ad networks. These attacks tend to spread indiscriminately, creating networks of infected computers. However, they can result in only a small percentage of victims paying the cyber extortionists. More targeted attacks can produce less collateral damage but provide more lucrative targets for the extortion attempt.
Cyber extortion vs. ransomware
While cyber extortion and ransomware are related concepts, they aren't the same.
Cyber extortion is a broader term that refers to the different techniques cybercriminals use to force victims to comply with their demands. It entails threatening or blackmailing individuals, businesses or organizations to obtain money or other valuable assets.
Ransomware is a specific type of cyber extortion that uses malicious software to encrypt a victim's files or lock them out of their systems. After encrypting the victim's files, the attacker demands a ransom in return for releasing the decryption key or regaining access to the infected systems. During a ransomware attack, the victim is frequently given instructions on how to pay the ransom and restore access to their data.
Types of cyber extortion
Today, businesses are being hit by different types of cyber extortion and cyberthreats:
- Cyber blackmail. This occurs when cybercriminals breach a private network, steal valuable data and hold the information hostage. In 2017, hackers shared unreleased episodes of the Netflix series Orange Is the New Black when the streaming company didn't pay the blackmailer. That same year, a cyber extortionist threatened to release unaired episodes of Game of Thrones if HBO didn't pay $5.5 million in Bitcoin.
- Database ransom attacks. These involve hackers who identify and hijack databases that use vulnerable versions of MySQL, Hadoop, MongoDB, ElasticSearch and other computer systems. Attackers can exploit vulnerabilities If patching isn't up to date or default administrative passwords haven't been reset. They sometimes replace the contents of a breached server with a ransom note requesting a payment in Bitcoin to reinstate the data.
- Denial of service or DDoS attacks. These are common cyber extortion methods, affecting access to servers and data. Cybercriminals launch attacks and demand payment to stop them, or they threaten an attack and demand payment to keep the attack from happening.
- Ransomware. Victims of this find their devices infected with malware that prevents them from accessing those devices or the data stored on them. This happens when the user inadvertently downloads the malware by opening infected email attachments, visiting a compromised website or clicking on a pop-up ad. To regain access, the victim must pay the hacker a ransom.
- Doxing. This is the act of intentionally disclosing or publicizing a victim's personal or private information, such as their home address, phone number or bank records, usually to cause harm or distress. If the hacker's demands aren't satisfied, extortionists might make doxing threats against specific people or groups.
- Phone extortion. This entails the attacker threatening during a phone call to harm the victim or their loved ones until a payment is made.
- Website extortion. This technique involves the attacker threatening to deface or take down the victim's website unless a payment is made.
The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury dedicated to safeguarding financial systems, issued an advisory in October 2020 with the following list of five types of more sophisticated cyber extortion techniques:
- Big game hunting. Hackers target big enterprises that are more likely to pay larger amounts.
- Partnerships. Cybercriminals share resources, such as ransomware exploit kits, among themselves.
- Double extortion. Schemes where the threat actor copies sensitive data from the victim's network before encrypting the files and demanding ransom. The attacker uses the threat of publishing or selling the stolen data if payment isn't made.
- Anonymity-enhanced cryptocurrencies (AECs). A complementary tool to convertible virtual currency, AECs such as Monero and ZCash reduce the transparency of the financial flows involved in an attack.
- Fileless ransomware. Instead of putting the malicious code into a file on a hard disk drive, the ransomware writes it into the computer's memory.
Effects of cyber extortion
Companies victimized by cyber extortion schemes suffer the effects of data breaches and loss of sensitive information. These can include damage to their reputation, lost customers and lost revenue. For example, if customers can't access their preferred websites, they'll likely move on to other companies that offer the same or similar products or services. In addition, hackers will use the threat of making a victim's trade secrets or intellectual property public or selling it to rival companies. That tactic is great motivation for a victim company to pay the ransom.
Cyber extortion attacks continue to prove a threat to businesses of all sizes across the world. Some effects of recent cyber extortion events include the following:
- A ransomware attack on the Colonial Pipeline in May 2021 shut down the pipeline for days, causing fuel shortages and clogging air traffic across much of the U.S. President Joe Biden proclaimed a state of emergency as a result.
- In June 2023, a ransomware attack on the University of Manchester in Manchester, England, compromised the details of more than one million patient records that were part of a medical research project.
Ransomware payments have nearly doubled to $1.5 million in 2023 compared to last year, according to Sophos, a British cybersecurity company. The report also reveals that the firms with stronger financial positions are more inclined to pay the ransom.
In recent attacks, LockBit ransomware caused serious problems for several well-known companies. Among the affected entities is a prominent dental insurance provider that exposed the sensitive information of approximately nine million patients throughout the U.S. Additionally, a water utility in Portugal and the esteemed Royal Mail of the U.K. encountered substantial service disruptions as a result of LockBit attacks.
Customers whose data is made public as the result of a cyber extortion exploit or other type of data breach might be able to recover damages from the company. Under the Graham-Leach-Bliley Act and Health Insurance Portability and Accountability Act, financial and healthcare companies can be held liable for such disclosures, incurring hefty government fines.
Cyber extortionists might also have access to a victim's private information, such as personal photos or videos. Threat actors can demand payment to stop them from sharing that information with contacts in the victim's email or on social media accounts.
Preventing cyber extortion
Cyber extortionists are constantly searching for new vulnerabilities to exploit and new ways to threaten victims. Consequently, companies must be vigilant in their efforts to combat these exploits.
To reduce the risk of becoming a victim of cybercrime, organizations must enforce strong cyber defenses. Some best practices to reduce the risk of cyber extortion include the following:
- Back up and encrypt data. Develop strategies to back up and encrypt sensitive data as well as test recovery procedures regularly.
- Authenticate. Use multifactor authentication.
- Update systems. Make sure all computer systems are updated and patched, including security systems.
- Educate and train. Provide employees with awareness training so they can identify phishing attempts aimed at getting them to click on malicious links, avoid posting sensitive data on social media sites and take other steps to reduce the potential cyber extortion attack surface.
- Have an incident response strategy. Companies should have an incident response strategy as well as test contingency and disaster recovery plans to ensure recovery from a cyber attack.
- Set up strong security measures. To protect a business, basic cyber hygiene is important, including deploying firewalls and antimalware tools to identify and prevent malware intrusions, using up-to-date antivirus software for endpoint security, keeping all system software current with the latest patches, hardening internal network defenses, and limiting network access to disrupt threat actor activity.
- Implement risk analysis and management. Additional cybersecurity measures to mitigate cyber extortion attacks include following risk analysis and risk management programs that identify and address cyber risks, reviewing audit logs regularly for suspicious activity, and remaining vigilant for new and emerging cyber threats and vulnerabilities by participating in information sharing organizations and receiving alerts from the U.S. Computer Emergency Readiness Team.
FinCEN has identified multiple red flag indicators of ransomware related to illicit activity in the financial industry. The organization alerts financial institutions to situations that can help them detect suspicious transactions and prevent incidents.
Cyber extortion cases
In addition to the 2017 cyber extortion attacks against Netflix and HBO, there are other notable cases.
In 2014, Domino's Pizza was targeted by Rex Mundi, a hacker group that claimed it had stolen the records of 650,000 Domino's Pizza customers in Europe. Rex Mundi said it would release the records if Domino's didn't pay a 30,000 euro (roughly $30,000 USD) ransom. Domino's refused to pay. The company notified its customers of the breach and suggested they change their passwords. Rex Mundi never followed through on its threat.
RSS feed service provider Feedly was hit with a DDoS attack to prevent users from accessing the service. The attackers demanded money, which the company refused to pay. The company worked with authorities to bring the hackers to justice. Feedly's content network provider restored service in a couple of hours.
In 2015, a hacktivist group calling itself The Impact Team attacked Ashley Madison, a hookup site for people who are married or in relationships. The attackers said they compromised the company's database, which held the personally identifiable information of 37 million users. Rather than asking for money, the group threatened to release the information if the company's owners, Avid Life Media (ALM), didn't take down two of its dating websites as punishment for defrauding its customers. The hackers claimed ALM didn't remove the personal information of some customers even though they had paid extra to have that information expunged. When ALM didn't give in to The Impact Team's demands, the group leaked Ashley Madison's customer data.
In 2017, the WannaCry attack encrypted more than 250,000 systems using asymmetric encryption. The U.K.'s National Health Service was among the targets and had to take its systems offline. The threat actors demanded payment in Bitcoin. It's unclear how many victims paid the ransom.
In 2019, threat actors attacked numerous state and local governments using Ryuk ransomware. According to the Center for Internet Security, ransoms ranged from $100,000 to $500,000 worth of Bitcoin.
In December 2020 and again in January 2021, hackers accessed dozens of organizations' data by exploiting zero-day vulnerabilities of Palo Alto-based Accellion's file transfer application. Victims included supermarket chain Kroger, blue chip law firm Jones Day, Reserve Bank of New Zealand and Shell Oil. The methods used included Structured Query Language injection and server-side request forgery. The attackers sent emails to victims threatening to make their data publicly available.
Cybersecurity firm FireEye -- now Symphony Technology Group -- revealed in December 2020 that hackers had made off with its Red Team tools, which could be used to launch sophisticated cyber attacks. U.S. officials believed that Russian intelligence agencies were behind the attack.
The SolarWinds attack was also disclosed in December 2020, revealing that the company's monitoring software had been compromised in the latter half of 2019 and was used to infiltrate and extort government agencies and private sector companies.
The ransomware attack in 2021 on Colonial Pipeline caused an eight-day shutdown of the 5,500-mile pipeline, which resulted in gas lines and shortages in New York and the Southeast. The Federal Bureau of Investigation (FBI) identified the attacker as DarkSide, a ransomware-as-a-service group known to use double extortion tactics. Colonial Pipeline is reported to have paid nearly $5 million in Bitcoin.
Since its discovery in 2022, Royal ransomware has been used in high-profile assaults against critical infrastructure, particularly hospitals. With the special partial encryption method used by this ransomware, the threat actor can select the precise portion of a file's data to encrypt, which reduces the encryption percentage for bigger files and aids in avoiding detection. In addition to encrypting material, Royal actors use double extortion strategies. Notable victims of Dev-0569, the group associated with the Royal ransomware, include Silverstone Circuit, the renowned racing circuit in the U.K.; Travis Central Appraisal District; a Texas government entity; and a major U.S. telecom provider that received a $60 million ransom demand.
The largest port in Japan, the Port of Nagoya, was the target of a ransomware attack in 2023 by the LockBit ransomware gang, which led to the port's closure. According to Japanese media, the cybercrime division of the Japanese police assisted at least three domestic companies in resuming operations following the hack. The port has since resumed operations after the ransom was paid to the attackers.
Should cyber extortion victims pay demands?
The obvious benefit to paying a ransom is regaining access to crucial files and systems. While the ransom is expensive, the cost to rebuild files or systems can be exponentially more money and time-consuming.
The FBI discourages ransom payments to criminals. The intelligence agency contends that doing so will embolden attackers to target other organizations, encourage other criminals and fund criminal activities. Paying the ransom also doesn't guarantee recovery of a victim's files. Instead the FBI urges victims to report ransomware threats to local FBI offices or the FBl's Internet Crime Complaint Center.
In October 2020, the U.S. Treasury's Office of Foreign Assets Control warned that organizations helping victims make ransomware payments could be in violation of the agency's regulations. It identified companies such as financial institutions, cybersecurity insurance firms, and those involved in computer forensics and incident response as possible offenders depending on the tactics they use.
Is cyber liability insurance worth having?
The Cybersecurity and Infrastructure Security Agency has said an active cybersecurity insurance market could help reduce the number of successful cyber extortion incidents. Insurers would encourage customers to exercise preventative measures and best practices by basing coverage and premiums on the insured's level of self-protection.
Increasingly, customers are requiring vendors to have cyber insurance policies as part of their compliance contracts. Insurer Woodruff Sawyer said the number of its public company clients buying cyber coverage increased from 22% in 2016 to 39% in 2019, and the number continues to grow.
However, before deciding on cyber liability insurance, an organization should evaluate its risks and consult an insurance expert. In general, due to the rise in cyber attacks and data breaches, having cyber liability insurance can be beneficial, especially for technology-dependent businesses.
Cybercrime and ransomware affect every sector of the economy. Browse this expert guide for insights on effective prevention, detection and recovery strategies that apply to any industry.