Cyber Extortion: More Than Just Ransomware defines extortion as “forcing someone into giving you something through threats.” Most commonly the extortioner desires money but it
could be anything deemed to be as something of value. The extortioner may desire a decision made in his/her favor or the removal of some inconvenient circumstance in his/her own life. In order to exact the desired object(s), threats may consist of denying access or services to a person or business, or to somehow else withhold something important. Threats might also involve the threat of something bad (malware, violent actions, humiliation) if the desired ransom is not paid.

“I have always believed that writing advertisements is the second most profitable form of writing. The first, of course, is ransom notes…” – Philip Dusenberry

The item of value withheld in exchange for ransom might be data, customers, transportation, communications, equipment, or employees. Terrorist groups use the threat of harm to people in exchange for a ransom. In the cyber domain, there can also be a physical danger to people because of extortion, such as interference that causes medical devices to malfunction or cease to function. The corruption of data that could alter the amount of medicine provided to a patient, the malfunction of climate control or air filtration systems, the contamination of water or food. Malfunctioning traffic signals could cause injury or death resulting from vehicular collisions.

Fortunately, while harmful, such attacks have not been used successfully by cyber extortionists. Less harmful, but certainly disruptive would be the prevention of access to water, energy, or other critical infrastructure lifelines, or limiting access or otherwise manipulating physical facilities. The interference of normal operations for doors, elevators, or locks in smart buildings could disrupt businesses and operations throughout the Commercial Facilities Sector – in a commercial office building or families in a multi-family housing unit, in a hotel or a convention center, among a variety of other interests.

The most common form of extortion reported today is the loss of access to data which disrupts operations. This is achieved in a number of ways. In some cases, data is overwritten so that it is unrecoverable (if the ransom is not paid). In other cases, the data is encoded (encrypted, compressed, or otherwise obfuscated) so that the rightful owner cannot read it or use it without obtaining the encryption key or passphrase from the extortioner. The key is provided if the ransom is paid (sometimes). The malware used to encrypt the data is called ransomware.

Less sophisticated strategies include full size windows or dialogue boxes that cannot be closed unless a ransom is paid. Similarly, screen locking techniques prevent access to data while attempting to collect payment. In many cases these less sophisticated methods are coupled with the impersonation of government officials or law enforcement agencies. Attackers may threaten arrest and incarceration if a “fine” is not paid. Of course, the government does not collect fines in this way.  In these cases, the data has not been affected and is completely recoverable. Additional methods of extortion involve the threat of Distributed Denial of Service (DDoS) attacks to a business website.  Earlier this year, Apple received ransom demands that threatened to release account information of all Apple ID holders if Apple did not pay the extortioners.

Nation States engage in extortion.  A series of DDoS attacks on financial institutions in 2012-2014 were accompanied by demands that a video be removed from YouTube.  However, the timing of the attacks more closely correlated to talks and meetings of IAEA with Iran regarding nuclear proliferation.  The attacks have since been attributed to Iranian actors attempting to influence the negotiations.

More commonly than nation states, extortion appears to be funding organized crime of varying levels of sophistication. The most sophisticated organizations have developed a robust business like model that includes customer service for victims to contact.  Researchers, have reported interacting with the actors involved and requesting a demonstration that the actors can return the data to usable state before paying a ransom. Researchers have also reported negotiating the price of the ransom to a lower amount. The most sophisticated actors have not only built a robust model for themselves, but have productized their models to provide Ransomware-as-a-Service (RaaS) to other groups with fewer resources or less sophistication.

Gate 15 provides clients with weekly cyber products tailored to the client’s interests.  Such products include relevant analysis, assessments, and mitigation strategies on a variety of topics. 

This blog post was written by Kristi Horton, Gate 15’s Senior Risk Analyst for Cyber Intelligence and Analysis. Kristi provides expert threat and risk analysis for internal activities and client needs, where she is able to lend her expertise to support client preparedness requirements and specialized technical areas such as forensics investigations and legal support.

 For Additional Ransomware Resources: