Extortion entrepreneurs: How cybercriminals are bullying businesses
May 8, 2020
Extortion is the practice of obtaining something, especially money, through force or threats. Although historically seen as a real-world crime committed by gangsters and thugs, extortion has recently taken on new popularity online, especially since cybercriminals have discovered the potential rewards of a successful attack on a large company. Threat actors have gotten wise to the devastating consequences businesses face if their most sensitive or valuable data is stolen or if the uptime of their online services is impacted.
The first threat actors to weaponize extortion online targeted the individual, whether by way of spam campaigns threatening the recipients safety, ransomware to lock victims’ screens and display a message purporting to be from law enforcement demanding payment of a fine, or takeover of accounts containing sensitive information and requests for compensation to prevent the release of data. These methods have become more advanced over time. For example, extortion spam campaigns have taken on the form of “sextortion” and ransomware has evolved to encrypt whole systems and demand an anonymous cryptocurrency payment for the decryption key. Over the past several years, however, threat actors have begun to realise that extorting businesses—with a bigger attack surface, more humans to socially engineer, a wealth of sensitive data, a reliance on online services and more funds to extort—offer the potential for much more lucrative rewards.
Threat actors have tried a range of tactics to extort organisations with varying degrees of success, such as:
By late 2019, threat actors had devised a business model combining ransomware capable of infecting a company’s networks with data theft and a method of publicly shaming non-compliant victims, thereby drastically increasing their chance of successful extortion. This model turns what was already a potentially long and expensive recovery from a ransomware attack into a data breach, causing victim companies to comply with required legal and notification requirements and face potential lawsuits and brand reputation damage. The frontrunners in this new business model were the actors behind the “Maze” ransomware. They were the first to utilize a “name-and-shame” website to publish the names of victims who had refused to comply with ransom demands. They use this site to upload sample files of victim data as proof of the hack, and if the victims refuse to pay, they eventually upload all of their data to the site for anyone to download.
These developments caused both new strains of ransomware to be created and pre-existing strains to copy the new tactics. Though the Sodinokibi (a.k.a. REvil) ransomware first appeared in April 2019, it was not until Maze caught the headlines that Sodinokibi included data theft and extortion in its tactics, techniques and procedures (TTPs), launching their own name-and-shame site, “Happy Blog.” The actors behind Sodinokibi have shown imagination when extorting their victims. Not only were they the first to realize that analyzing the stolen data and threatening to release the most sensitive or damaging information would increase pressure on the related victims, but they were also among the first to threaten to inform stock exchanges, for example NASDAQ, of any breach, thereby using the prospect of immediate financial damage to increase the chances of successful extortion.
Like Sodinokibi, DoppelPaymer first appeared in 2019, but only after Maze had received attention did the actors behind the DoppelPaymer ransomware launch their own name-and-shame site called “Dopple Leaks,” which they have publicized on Twitter. In addition to copying some of the TTPs of both Maze and Sodinokibi, DoppelPaymer uses a standout extortion tactic of naming a victim’s customers, thereby implicating them in the leak to risk further embarrassment and potential loss of business.
The Clop, Nemty, Nefilim, Ragnar Locker and Sekhmet ransomware strains have all followed this path of using a mixture of the extortion tactics discussed above. Nefilim called its site “Corporate Leaks” to put emphasis on the fact it targets businesses. The actors behind Clop posted a short story on their site, "CL0P^_- LEAKS," asking readers to use their imagination in setting out a nightmare ransomware infection scenario for a large business owner. Some very high-profile organisations, including Travelex, Energias de Portugal (EDP), Los Angeles County City and Chubb Insurance, have fallen victim to the aforementioned ransomware strains with some huge ransoms demanded.
iDefense assesses that the current extortion trend of using ransomware with hack-and-leak operations should be one of the highest cyber concerns to organizations, especially larger corporations. The advice coming from the cybersecurity and law enforcement worlds has always been clear: Do not give in to an extortionist’s demands. Although this advice is not likely to change, the trend has forced people to realize there is a debate to be had: If you are a business faced with a straight choice—either deal with the lengthy and expensive process of recovering data and systems as well as losses and reputational damage or pay a ransom to potentially avoid such pain—businesses may choose to go against industry advice. These lines were further blurred when many cyber insurance companies began to advise paying the ransom.
The University of Maastricht, which incurred a Clop ransomware infection in December 2019, articulated this dilemma well. When the actors behind the attack demanded 30 Bitcoin (US$217,000 as of December 30, 2019), the university decided to pay the ransom and, in an unusual step, released a statement to the public on February 5, 2020, explaining its reasonings behind the payment. Ultimately, the company decided it was in the interest of their students and staff to pay the ransom so that staff could distribute exams and the school could pay salaries.
iDefense assesses that as long as malicious actors are able to put companies in this kind of difficult position, this trend will continue. Paying ransom fees funds and adds to the capabilities of criminal operations. iDefense analysts have observed Dark Web recruitment campaigns from the threat actors behind Sodinokibi that have offered lucrative returns so long as applicants can prove they are technically proficient. These threat actors can only afford to pay such sums and attract the brightest minds thanks to the success of their extortion attempts. iDefense predicts that threat actors will likely continue to develop more advanced strains of ransomware, target a wider range of infrastructure and industry and concentrate on stealing ever-more sensitive data, resulting in higher extortion demands. The COVID-19 outbreak is likely to exacerbate the situation as many companies are forced to increase their work-from-home capabilities, thereby increasing attack surfaces. Furthermore, threat actors will take note of the increasing levels of fear and economic uncertainty to target vulnerable organisations.
To protect against extortion attempts, iDefense recommends:
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved.