Digital extortion has evolved into the most successful criminal business model in the current threat landscape, and Trend Micro researchers predict that it will continue to grow rampant because it’s cheap, easy to commit, and many times the victims pay.
The line between blackmail and extortion is blurred in the digital realm. Many digital crimes we normally think of as blackmail are, in fact, extortion — like ransomware. Likewise, some crimes categorized as extortion are actually not. Sextortion comes to mind, wherein an individual is forced to perform acts of a sexual nature under the threat of having compromising material regarding them exposed online.
In short, any attempt by a criminal to coerce a victim into doing something – paying money or performing a favor — falls within the realm of digital extortion. But the big difference between of offline and online extortion is the wide variety of assets that can be targeted in the digital domain.
Attackers can:
- Encrypt company secrets
- Steal and threaten to divulge customer or other compromised data
- Lock devices and ask for ransom in exchange for giving back access to device
- Ask for money in exchange for stopping attacking sites
- Ask for money in exchange for fixing a hacked process or to not disrupt processes or sabotage production, and so on.
End users, on the other hand, are usually targeted with ransomware or become victims of sextortion. Also, some users who want to keep their (potentially compromising) online personas separate from their real identities have lately been targeted by attackers who threaten to reveal their names publicly if they don’t pay up (e.g., The Ashley-Madison breach).
Successful approaches and future attempts
How successful the attackers are in blackmailing targets depends on how much they ask and what leverage they have. Given data breach laws and regulations and the very significant impact hacks can have on a company’s reputation, the recurring cost of the extortionist’s fees may fall within the corporate victim’s loss tolerance for brand protection. In that case, some corporate victims may decide to simply pay.
Machine learning capabilities that can be used to create convincing face-swap videos will likely only add to the problem, for private and public individuals alike. A classic smear campaign is more effective in the digital world than in real life. Digital data lasts longer than real-world news: a successful smear campaign in 2016 may still be showing high in search ratings in 2017 or later. News can also spread faster online, with social media able to transmit news – fake or otherwise – with the click of a button. That is decidedly a factor in these attacks. We expect ransomware peddlers to focus their attention on industries and companies that yield the most return, such as those in the healthcare and manufacturing sectors. We also expect ransomware to be perfected (quicker encryption of files, speedier infection and spreading, minimized interaction with the victim, dynamic pricing).
Finally, with the increasing use of IoT devices, wearables, and smart cars, digital extortionists can be expected to hijack devices, prevent users from accessing them or rendering them inoperable if they don’t pay up, stealing interesting data stored in them as holding it for ransom, and so on. Another way cybercriminals could bridge the gap between the digital space and the physical world: requesting physical favors as payments instead of mere monetary payment. As we have alluded previously, a generic blackmail attack is likely to fail. However, a person with enough access to a building can be blackmailed to provide temporary untraceable access in exchange for his or her naked pictures not being made public.
It is, in fact, possible that these situations already happen, but as they are unlikely to reach public attention, we don’t know about them.
Be prepared
We advise companies to have potential digital extortion scenarios figured out, so they can react quickly and adequately. DDoS attacks and smear campaigns should be countered by sharing the situation with the press and asking administrators of the sites where the smear campaign is being run to help with prevention. In incident response plans, any new or novel assets should be taken into account. Assets such as blockchain technology accounts, wallets, and the like should be reflected in the plan, as well as what to do when those are compromised or attacked. The same is true for any business process that is susceptible to being attacked. Any system involved should be accounted for and a viable strategy to deal with extortion attacks should be devised ahead of time.
Individuals who are targeted must know that the demands will never end, and should not give into them.
A solution here is to go to the authorities to report the incident and hopefully trigger an investigation that would lead to the arrest and indictment of the culprit. Conversely, when the victim gives less value to the material the extortionist already has, the data also loses value in the attacker’s eyes and will be less likely to use it.
About IntelliTeK Pty Ltd
IntelliTeK is a managed IT services company in Sydney, Australia. With major vendor relationships and accreditations from the world’s leading IT companies including WatchGuard, Microsoft, Trend Micro and Amazon Web Services, IntelliTeK have kept clients happy since 2007.
IntelliTeK are always up to date with the latest cloud backup solutions which is why we only partner with the best in the industry. If your company isn’t fully equipped to fend off cyber criminals, then get in touch with us so we can discuss your options. Call us on 1300 768 779, email us at info@intellitek.com.au, fill out the web form, or have a Live Chat with us below.