Because of Scapien I know where my critical vulnerabilities are.

CISO, Healthcare Provider

How Cybercriminals Extort Businesses and Individuals – part one of a three-part series

Jun 24, 2022

Introduction

This article sheds some light on how cybercriminals extort businesses and executives to make money. In this article, we will talk specifically about DDoS extortion and Ransomware attacks and discuss some alarming attack trends. In addition to individuals, professionals and Small and Medium Enterprises (SMEs) have become prime targets for cybercriminals due to their relatively weaker cybersecurity posture. These trends represent a global threat to business as SMEs account for most companies worldwide.

This integral blog article is the first of three which will specifically address two fundamental techniques used by cybercriminals when it comes to SMEs—DDoS and Ransomware. The information provided by Mr. Wade describes how cybercriminals utilize these techniques to extort funds from businesses that display vulnerabilities and sell this as a service to each other. While being aware of these tactics is crucial for SMEs, offensive and defensive security measures are needed. DDoS and Ransomware are a growing concern for SMEs. Currently, there is a trend amongst cybercriminals where hackers will gain access to a company’s insurance policy and make a demand for the cyber-insurance policy covered amount. At this point, it is too late and non-negotiable.

Overall, this article is intended to demonstrate how widespread this issue continues to be and how cybercriminals are becoming evolutionary with their tactics. To counteract these alarming trends, SMEs and professionals must have a plan of action to understand and shrink their Attack Surface genuinely.

The following are excerpts from the book “Cybercrime: Protecting Your Business, Your Family and Yourself”:

DDoS Extortion

Distributed denial-of-service (DDoS) attacks have been around since the early days of the internet. They initially began as denial-of-service (DoS) attacks, in which the attacker would use one or a small number of computers to overload their target computer. Once the computer was overloaded, it could not function (if a website was running on the targeted computer, it would stop working).

DDoS is the next step in the evolution of DoS attacks. With DDoS attacks, the attacker uses a significant number (thousands) of computers to launch their attacks and overload their target. The target can be a website, server or network (NCSC, no date). Anything connected to the internet can be a target.

There are extreme cases where threats can be hideous. An example is receiving calls threatening to harm a family member (FBI, 2020b). Another is sending victims violent graphic photos to their phones, threatening the same will happen to them or their family if they do not pay (WTVD, 2020). If you receive messages like this, call your local police force.

Almost always, threatening calls or messages are bluffs.

Cybercriminals are using DDoS attacks to extort businesses and individuals, though businesses are primarily the target of these attacks. They threaten their victims with a DDoS attack unless a ransom is paid. As of August 2020, ransoms ranged from $50,000 to $300,000 depending on which cybercriminal group was attacking (Eisler, 2021), but more recently, ransoms are increasing rapidly, especially for business. Bitcoin is the payment method of choice.

Usually, the extortion attempt starts with sending the victim a threatening email with a deadline for paying the ransom. Sometimes, the email warns that if the attack is disclosed publicly, the attack will begin immediately.

Ransomware Attacks

The most effective cyber extortion attack, by far, is ransomware, a type of malware. An excellent way to think about this is to compare ransomware with a viral illness. A virus can use any number of routes to infect the human body and, once inside, it can cause havoc. Likewise, once ransomware gains access to a computer, it too will cause havoc, most likely by encrypting it.

When a computer has been infected with ransomware, typically all of the files on that computer become encrypted. This causes the files to become visibly scrambled, and anyone looking at them will be unable toread them. It’s similar to the green scrolling code in the Matrix movies and will make no sense to anyonelooking at it.

The only way for this to be reversed is to gain access to the decryption key, which will decrypt theencrypted files (in other words, it will reverse the encryption). Think of it like this: you come home after workone day, and you find that your house key doesn’t work and that to gain access to your house, you need anew key. That’s what the decryption key is, except that, in this case, your entire home has been put into an indestructible sealed box with absolutely no way of breaking.

As ransomware continues to bring down computers, companies and individuals are taking steps to minimise the impact of a ransomware attack. No one wants to pay a ransom to get their computers working again.Maintaining backups is always a good idea. This way, victims can reinstall their operating system and restoretheir data from their backups, thereby not having to pay anyone. As such, improved backup strategies

often reduce the need to pay the ransom.

Cybercriminals are getting wise to this defence and changing strategies. One such method is referred toas ‘double extortion’. Before encrypting their targets’computers, they will steal their victim’s data. This isessentially a data breach. Even if the victim has good backups, they are now faced with extortion demandsthattheir confidential data will be publicly released if they do not pay the ransom.

Cybercriminals are setting up public shaming boards to increase pressure on companies to pay the ransom.They know the boards will cause reputational damage to the company. They sometimes release a portion ofthe stolen data on the boards for the public to see, promising to give back the data and permanently deletethem if they are paid.

Another worrying trend is auction sites on the dark web. If the cybercriminals still do not get their ransomafter all of their attacks, they will likely auction the company’s data to the highest bidder. A competitor orsomeone with malicious intent could then buy the data.

The trend is double extortion. – ‘double extortion’.

Before encrypting their targets’ computers, they will steal their victim’s data. This is essentially a data breach. Even if the victim has good backups, they are now faced with extortion demands that their confidential data

will be publicly released if they do not pay the ransom.

← Back to media