Extortion is the practice of obtaining something, especially money, through force or threats. Although historically seen as a real-world crime committed by gangsters and thugs, extortion has recently taken on new popularity online, especially since cybercriminals have discovered the potential rewards of a successful attack on a large company. Threat actors have gotten wise to the devastating consequences businesses face if their most sensitive or valuable data is stolen or if the uptime of their online services is impacted.

A brief history

The first threat actors to weaponize extortion online targeted the individual, whether by way of spam campaigns threatening the recipients safety, ransomware to lock victims’ screens and display a message purporting to be from law enforcement demanding payment of a fine[1], or takeover of accounts containing sensitive information and requests for compensation to prevent the release of data. These methods have become more advanced over time. For example, extortion spam campaigns have taken on the form of “sextortion”[2] and ransomware has evolved to encrypt whole systems and demand an anonymous cryptocurrency payment for the decryption key. Over the past several years, however, threat actors have begun to realise that extorting businesses—with a bigger attack surface, more humans to socially engineer, a wealth of sensitive data, a reliance on online services and more funds to extort—offer the potential for much more lucrative rewards.

Businesses in the crosshairs

Threat actors have tried a range of tactics to extort organisations with varying degrees of success, such as:

  • Distributed Denial of Service (DDoS) – Threat actors use multiple, connected online devices, collectively known as a botnet, to overwhelm a target website with fake traffic. Criminals have learned that businesses in certain industries—particularly financial institutions and retailers that rely heavily on their websites for online banking and e-commerce, respectively—incurred very negative effects from downtime on their public-facing, online services. This tactic tends to see a spike in use during times of fear and anxiety, such as during the COVID-19 pandemic[3], to add pressure on companies already under strain.
  • Smear Campaigns – Criminals have taken advantage of the fact that many businesses are increasingly reliant on maintaining a positive image on social media and review sites. This has encouraged criminals to extort companies by threatening to carry out online smear campaigns and posting negative reviews on popular sites, such as Google and Yelp, if a ransom is not paid[4].
  • Hack-and-Leak Operations – While there are many examples of threat actors hacking targets and leaking data to influence political thought, criminals have also used this tactic for financial gain. “The Dark Overlord” (TDO) became the most prolific and well-known threat group in this field between 2016 and 2019—up until the arrest[5] of alleged members, which appeared to put a stop to their activities.
  • Ransomware – Ransomware evolved from encrypting individual systems to whole networks, making it ideal for extorting businesses. Use of this tactic was accelerated in 2017 when the WannaCry ransomware spread across the globe, becoming the first strain to be ‘wormable’—it propagated through the ‘EternalBlue’ exploit. This was a watershed moment for ransomware, putting it firmly in the public eye, as it affected many large organisations, caused widespread damage and required a global response.
The deadly duo: Ransomware with hack and leak

By late 2019, threat actors had devised a business model combining ransomware capable of infecting a company’s networks with data theft and a method of publicly shaming non-compliant victims, thereby drastically increasing their chance of successful extortion. This model turns what was already a potentially long and expensive recovery from a ransomware attack into a data breach, causing victim companies to comply with required legal and notification requirements and face potential lawsuits and brand reputation damage. The frontrunners in this new business model were the actors behind the “Maze” ransomware[6]. They were the first to utilize a “name-and-shame” website to publish the names of victims who had refused to comply with ransom demands. They use this site to upload sample files of victim data as proof of the hack, and if the victims refuse to pay, they eventually upload all of their data to the site for anyone to download.

These developments caused both new strains of ransomware to be created and pre-existing strains to copy the new tactics. Though the Sodinokibi (a.k.a. REvil) ransomware first appeared in April 2019, it was not until Maze caught the headlines that Sodinokibi included data theft and extortion in its tactics, techniques and procedures (TTPs)[7], launching their own name-and-shame site, “Happy Blog.” The actors behind Sodinokibi have shown imagination when extorting their victims. Not only were they the first to realize that analyzing the stolen data and threatening to release the most sensitive or damaging information would increase pressure on the related victims, but they were also among the first to threaten to inform stock exchanges, for example NASDAQ, of any breach, thereby using the prospect of immediate financial damage to increase the chances of successful extortion. 

Like Sodinokibi, DoppelPaymer first appeared in 2019, but only after Maze had received attention did the actors behind the DoppelPaymer ransomware launch their own name-and-shame site called “Dopple Leaks,”[8] which they have publicized on Twitter. In addition to copying some of the TTPs of both Maze and Sodinokibi, DoppelPaymer uses a standout extortion tactic of naming a victim’s customers, thereby implicating them in the leak to risk further embarrassment and potential loss of business.

The Clop, Nemty, Nefilim, Ragnar Locker and Sekhmet ransomware strains have all followed this path of using a mixture of the extortion tactics discussed above[9]. Nefilim called its site “Corporate Leaks” to put emphasis on the fact it targets businesses. The actors behind Clop posted a short story on their site, "CL0P^_- LEAKS," asking readers to use their imagination in setting out a nightmare ransomware infection scenario for a large business owner. Some very high-profile organisations, including Travelex[10], Energias de Portugal (EDP)[11], Los Angeles County City[12] and Chubb Insurance[13], have fallen victim to the aforementioned ransomware strains with some huge ransoms demanded.

The worst is yet to come

iDefense assesses that the current extortion trend of using ransomware with hack-and-leak operations should be one of the highest cyber concerns to organizations, especially larger corporations. The advice coming from the cybersecurity and law enforcement worlds has always been clear: Do not give in to an extortionist’s demands. Although this advice is not likely to change, the trend has forced people to realize there is a debate to be had: If you are a business faced with a straight choice—either deal with the lengthy and expensive process of recovering data and systems as well as losses and reputational damage or  pay a ransom to potentially avoid such pain—businesses may choose to go against industry advice. These lines were further blurred when many cyber insurance companies began to advise paying the ransom.

The University of Maastricht, which incurred a Clop ransomware infection in December 2019[14], articulated this dilemma well. When the actors behind the attack demanded 30 Bitcoin (US$217,000 as of December 30, 2019), the university decided to pay the ransom and, in an unusual step, released a statement to the public on February 5, 2020, explaining its reasonings behind the payment. Ultimately, the company decided it was in the interest of their students and staff to pay the ransom so that staff could distribute exams and the school could pay salaries.

iDefense assesses that as long as malicious actors are able to put companies in this kind of difficult position, this trend will continue. Paying ransom fees funds and adds to the capabilities of criminal operations. iDefense analysts have observed Dark Web recruitment campaigns from the threat actors behind Sodinokibi that have offered lucrative returns so long as applicants can prove they are technically proficient. These threat actors can only afford to pay such sums and attract the brightest minds thanks to the success of their extortion attempts. iDefense predicts that threat actors will likely continue to develop more advanced strains of ransomware, target a wider range of infrastructure and industry and concentrate on stealing ever-more sensitive data, resulting in higher extortion demands. The COVID-19 outbreak is likely to exacerbate the situation as many companies are forced to increase their work-from-home capabilities, thereby increasing attack surfaces. Furthermore, threat actors will take note of the increasing levels of fear and economic uncertainty to target vulnerable organisations.

Mitigation

To protect against extortion attempts, iDefense recommends:

  • Taking steps to mitigate the types of attacks that lead to extortion attempts, including:
    • Protecting against DDoS attacks by: using traffic-pattern analysis for threat detection and alerting; employing filtering through IP reputation lists; blacklisting; whitelisting; rate limiting; and purchasing DDoS mitigation tools, where appropriate.
    • Managing online exposure and considering the use of brand reputation management if a given company is highly susceptible to online smear campaigns.
    • Protecting against ransomware attacks by keeping operating systems, software and anti-virus products up to date; disabling unnecessary RDP connections; training staff to protect themselves against phishing attacks; and maintaining regular backups of system data.
  • Ensuring heightened awareness against extortion attempts at appropriate times—especially peak business periods and times of fear, panic and uncertainty.
  • Assessing the legitimacy of threat actors carrying out these attacks and their demands. iDefense’s Reconnaissance team tracks a variety of threat actors and their TTPs across many different Dark Web and open-source platforms; this tracking can assist in determining whether an actor’s claims are credible.
  • Planning for the worst-case scenario and considering potential extortion scenarios, putting in place business continuity and disaster recovery plans, ensuring you have incident response capabilities readitly available, having a clear media strategy and running regular exercises with all relevant stakeholders.

 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved.

___

[1] https://www.fbi.gov/news/stories/new-internet-scam/new-internet-scam
[2] https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/kidnap-and-extortion/sextortion-webcam-blackmail
[3] https://www.zdnet.com/article/ransomware-and-ddos-attacks-cybercrooks-are-stepping-up-their-activities-in-the-midst-of-coronavirus/
[4] https://www.cheapair.com/blog/an-open-letter-to-our-customers/
[5] https://www.justice.gov/opa/pr/member-dark-overlord-hacking-group-extradited-united-kingdom-face-charges-st-louis
[6] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
[7] https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
[8] https://www.tripwire.com/state-of-security/security-data-protection/doppelpaymer-ransomware-launches-site-for-publishing-victims-data/
[9] https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
[10] https://www.cnbc.com/2020/01/07/travelex-currency-exchange-suffers-ransomware-attack.html
[11] https://www.scmagazine.com/home/security-news/ransomware/ragnar-lockers-well-conceived-ransomware-attack-on-energias-de-portugal/
[12] https://threatpost.com/la-county-hit-with-doppelpaymer-ransomware-attack/155024/
[13] https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/
[14] https://uk.reuters.com/article/us-cybercrime-netherlands-university/university-of-maastricht-says-it-paid-hackers-200000-euro-ransom-idUKKBN1ZZ2HH

Paul Mansfield

Cyber Threat Intelligence Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog
Subscribe