Cyber Extortion: A Growth Industry

011214_1337_CyberExtort1.jpg

The prevailing wisdom in law enforcement has been that it is a bad idea to negotiate with extortionists. Cave to their demands and all you’re doing is encouraging more extortion. And you don’t even have a guarantee that paying a ransom will produce the return of your loved one unharmed, or your stolen assets.

Better to refuse the demands, find the criminals and punish them in a way that will discourage them and others from doing the same thing. But, in the digital world, where criminals encrypt data and then demand a ransom to provide the key, that prevailing wisdom is getting a forcible adjustment.


The first reality is that, much of the time, cyber extortionists are far beyond the reach of domestic law enforcement. Second, most of them actually make good on unlocking the data once the ransom has been paid, because they want future victims to pay up as well.

In some cases, it is law enforcement itself that is paying the ransoms. The Boston Globe reported recently that the police department in Tewksbury, a Boston suburb, had paid a $500 ransom to criminals who had encrypted data including arrest and incident records.

In short, this is a growth industry. Most thieves have learned that if they keep the ransom relatively low – a few hundred dollars – and get a reputation for providing the encryption key once the ransom has been paid, those few hundred dollars per victim can add up to thousands per month.

Val Saengphaibul, security response manager at Symantec, said his firm knows of one cyber gang that makes, “at least $35,000 a month. Other cyber-gangs have taken note and there are quite a few of them running this scam,” he said, noting that, “payment is not easily traced or stopped, and targeting specific data files that are valuable to people and organizations increases the likelihood of payment.”
 

Indeed, a recent survey by ThreatTrack Security found that 30% of the security professionals who responded said they would negotiate with the extortionists. And that percentage rose to 55% among organizations that have already fallen victim to cyber-extortionists.

Some of that was conditional. When asked if organizations should set aside funds for paying ransoms to recover their data, 45% gave a conditional “yes,” but nearly half of them said it would “depend on the data.” The most important, in their view, were employee Social Security numbers, addresses and salaries.”
Stuart Itkin, ThreatTrack’s senior vice president, said there is obviously no guarantee that criminals will unlock the encrypted data, but that it is in their, “best interest to keep their word so victims succumb and they continue making money by infecting more people.”
He said ransomware developers have even, “created safeguards to ensure their malware doesn’t infect the same victims again after they’ve paid a ransom.”
Jody Westby, CEO of Global Cyber Risk, also said in her experience, cyber extortionists have kept their side of the deal. She said for most of her clients, it comes down to a business decision.
“I have seen IT guys say, ‘No way, we aren't negotiating or paying a dime,’” she said. “But then the CFO or another C-suite executive gets involved, evaluates the amount of money requested, and says it is a no-brainer: They are going to pay and keep the business running. It would cost more to have the system down.”

Of course, not all extortionists are so “honorable”. According to Saengphaibul, “if you look hard enough, you’ll find numerous victims experiences showing hackers not upholding their end of the deal by not unlocking computers after ransom is paid.”
Saengphaibul said Symantec sticks with the more traditional law enforcement philosophy – don’t pay up.
“Paying the ransom just further promotes this illegal activity,” he said. “It’s unlikely that victims will get their files back anyway, so don’t put money in the criminals’ pockets.  If we deny the criminals profit, then there is no point in running the scam. They move on.”
He said if extortion targets have regularly backed up their files, they can’t be victimized in the first place. “When there is no demand on the underground economy for ransomware attack services, hackers will ultimately be out of business,” he said.
But, particularly for businesses, it is not always as simple as having backup files.
“Everyone should have backups,” Westby said. “But that is not the issue. The issue is having the data disclosed. They pay to get it back so it won't be disclosed.”
She said if a company refuses to pay the demanded ransom, extortionists can start making it public. “They can start disclosing data in pieces, or send some of the most damaging to the press, they can sell the data on the black market or to a competitor company,” she said.
“The damage is to reputation, loss of market share, loss of customer and pricing data or other strategic business data that could have a real impact on the bottom line.”
Itkin agrees. “Data breach headlines, lawsuits, eroded customer trust and other collateral damage a breach can cause gives (extortionists) tremendous leverage,” he said.
“All you have to do is look at the fallout from the Sony breach. First, the extortionists succeeded in manipulating Sony’s release of a major motion picture, which had financial consequences for not just Sony, but the theaters that planned to screen it, among others. Second, their data was perfect for wide-spread media appeal – dripping with Hollywood gossip.”
“I have seen IT guys say, ‘No way, we aren't negotiating or paying a dime. But then the CFO or another C-suite executive gets involved, evaluates the amount of money requested, and says it is a no-brainer: They are going to pay and keep the business running.”

That means, while data backups ought to be regular and automatic, they are not enough. Rigorous, end-to-end encryption ought to be mandatory as well, since it can make most stolen data useless to extortionists.
With stolen encrypted data, “criminals don't even know what they have to ask ransom for it,” Westby said, adding that, “cyber extortion insurance also is good, because we are in a new era of cybercrime.”
But beyond backups and encryption, experts including Saengphaibul say that, “security is multilayered and requires an encompassing approach – endpoint security, employee training, system updates, etc.”
Security, he said, should include not just traditional anti-virus, but also, “download protection, browser protection, heuristic technologies, firewall and a community sourced file reputation scoring system.”
And when it comes to negotiation, Itkin said security pros should, “always be aware that cybercriminals’ No. 1 priority is making money, not keeping their word.”
CIO: http://bit.ly/1IDU2Zq

 

« ECHELON Has Been Watching You All Your Life
90% of Android Devices Are DoS Vulnerable »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

Chatham House Cyber Conference

Chatham House Cyber Conference

14 June 2023 - Connect with cyber security experts and senior policymakers to explore the role of cyber security in the global economy and how to deliver an open and secure internet.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Galaxkey

Galaxkey

Galaxkey is a data protection product that protects email, documents and any data using access control and an encryption platform.

Apicrypt

Apicrypt

Apicrypt enables secure communications between health professionals by using strong encryption technologies.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

Verve Industrial Protection

Verve Industrial Protection

Verve specialize in providing software and services to help protect and secure critical industrial control systems.

Zanasi & Partners

Zanasi & Partners

Zanasi & Partners is a security research and advisory company active in the EU and MENA areas. Services focus on technology solutions.

ElcomSoft

ElcomSoft

ElcomSoft is a global leader in computer and mobile forensics, IT security and forensic data recovery.

AimBrain

AimBrain

AimBrain tools detect and prevent fraud, faster and more accurately than ever before.

Quantea

Quantea

Our multi-patented solutions - QP Series Network Analytics Accelerator appliance and PureInsight Analytics Software Suite allows you to capture, analyze, store, replay, network traffic data.

AlertEnterprise

AlertEnterprise

AlertEnterprise uniquely eliminates silos and uncovers blended threats across IT Security, Physical Access Controls and Industrial Control Systems.

CyberForum

CyberForum

CyberForum supports businesses from the IT and high-tech industry in all stages of their development: from startup consulting to professional staffing and even location marketing campaigns.

Deepwatch

Deepwatch

deepwatch’s cloud SecOps platform and relentless customer focus are redefining the managed security services industry.

Aversafe

Aversafe

Aversafe provides individuals, employers and certificate issuers around the world with a first line of defense against credential fraud.

ShieldApps

ShieldApps

ShieldApps comprehensive suite of products is designed to protect your personal devices from privacy threats, including hacking attempts, online tracking, fingerprinting, phishing, malware, and more.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

1Touch.io

1Touch.io

1touch.io Inventa is an AI-based, sustainable data discovery and classification platform that provides automated, near real-time discovery, mapping, and cataloging of all sensitive data.

FluidOne

FluidOne

FluidOne are an award-winning Connected Cloud Solutions provider. We design tailored solutions to help customers and partners digitally transform their IT and communications.