The Growing Threat of Digital Extortion – And How to Avoid It
Extortion has been around for a long time. Think of extortion and you may think of local mobsters extracting payments from shopkeepers for 'protection', or a criminal blackmailing a victim for money in exchange for sensitive images.
These days, however, there is a new threat: digital extortion (also known as cyber extortion). It can affect anyone, anywhere, from large corporations to individuals, and it is only likely to become a more serious problem over coming years.
So what exactly is digital extortion, how can you protect yourself from becoming a victim, and what can you do if you or your organisation are affected?
Chapter 1: Types of Digital Extortion
There are many types of digital extortion. Some of them are typically targeted at companies, whereas others may be more commonly targeted at individuals.
Distributed denial of service (DDoS) attacks are one of the most common forms of digital extortion, and they are a growing threat, as highlighted in this BBC article.
BT, a telecommunications provider in the UK, found in a June 2014 survey that 41% of organisations around the world had been affected by a DDoS attack in the previous year.
They involve numerous computer systems targeting one system, usually that of a business or organisation, to block access to the organisation's website. A ransom is then requested in order to stop the attack.
For businesses that rely on their online presence the effects can be disastrous. If the website goes down and customers cannot make orders, the business can end up losing significant amounts of money.
Many organisations do not report these types of attacks. Often they fear that it could affect their reputation or that customers will assume their own security systems were to blame. Some companies simply pay the money because the amounts involved are less than they would lose if they remained offline for a long period of time.
Holding company data to ransom is another common form of digital extortion. It gained a lot of publicity when Sony Pictures Entertainment was hacked in November 2014 by the group 'Guardians of Peace', who demanded that the release of the film 'The Interview' was cancelled. When it was not, the hackers released a huge amount of confidential information that caused great damage to Sony.
A similar problem also affected Domino's Pizza in June 2014 when hackers threatened to release details of 600,000 customers unless they received a ransom.
The consequences of the release of such data can be disastrous for organisations because it could lead to legal action and large fines as well as loss of business. A similar situation involves corporate secrets being accessed and held to ransom, which can also be hugely damaging for companies.
Threat of Causing Disruption
Sometimes criminals simply threaten to cause disruption to organisations by hacking into their systems and threatening to delete important files. If the files are essential and have not been backed up, such a situation can be devastating for the affected organisation.
Ramsomware can affect individuals as well as organisations. It involves harmful software infecting a computer system, sometimes encrypting files and sometimes locking the system. A ransom is then requested to free the system.
One famous example of ransomware is CryptoLocker, which was first seen in September 2013. This spread via email attachments and earned millions of dollars before being taken down. Another one was WinLock, which appeared in 2010. This restricted access to computers and asked for a premium rate text message in return for a code to unlock it, earning millions of dollars for the criminals.
This is a crime that tends to affect individuals, and often men. Police warned men about it in 2014, as reported in The Guardian, and the crime involves men being lured into chats online with women where they may end up exposing themselves. Afterwards, the criminal demands payment and threatens to make the footage public.
Another type of sextortion involves a criminal infecting a computer with a virus and then stealing sensitive photos or videos, or even using the victim's webcam to film them. The criminal may then demand more images or money from the victims.
Chapter 2: How to Reduce the Risks
Digital extortion is something that can affect anyone. However, there are steps that you or your organisation can take to reduce the risks.
Improve Your Security
The most important is to ensure you have suitable security in place. This could be as simple as up-to-date antivirus software for your personal computer. For an organisation, you will need enterprise level security in place, and you may want to hire a security consultant to check your systems and make any necessary improvements.
Always make backups that you keep both on-site and off-site. That way, if a hacker manages to get access to your system and threatens to delete important data, at least you know you have backups in place and the worst that can happen is that it takes some time to get everything back in place.
Prepare an Action Plan
If you have an action plan in place, you will know what to do when the worst comes to the worst. The risk of digital extortion is very real, so don't wait until the situation happens, and always plan in advance. Educate your staff on the threats, especially the risks posed by email attachments and phishing emails, and make sure they know what to do if a situation arises.
Some business insurance providers will now provide cover for cyber attacks and extortion. This may be worth considering if you are particularly worried about having to pay large ransoms or the costs for hiring technical experts, so find out whether there is a suitable policy for your business.
Be Aware of the Risks
Simply being aware of the risks and taking sensible precautions can be an effective prevention strategy. In the case of sextortion, be very careful about getting involved in any online video chats with people you don't know.
Change Security Information for Ex-Employees
When employees leave your organisation, always change their passwords and any other security information that they had access to otherwise they could pose a security risk.
Chapter 3: What to Do If You Receive a Threat
If you do find yourself the victim of digital extortion, you have to make a decision on whether you will pay the ransom or not. It is thought that many organisations do simply pay the ransom when the amount is smaller than the amount they would lose if they did not pay. If you have insurance in place that covers ransom demands, this may also affect your decision on whether you pay or not.
It may be a good idea to decide in advance if there is any scenario in which you would agree to pay a ransom. That way when a situation arises, you will be better placed to make a quick decision.
If you decide not to pay up the ransom demands, report the situation to the authorities. If the criminals are located overseas, as is often the case, it may be difficult for the authorities to make prosecutions. However, you should still report the situation so that they are aware of it.
You may then want to start collecting evidence including emails and communications. You could also use a service like WhoIsHostingThis.com if the criminals are communicating to you via a website because you may be able to get clues as to who is behind the threat.
Digital Extortion Is Here to Stay
Digital extortion is a serious problem, and unfortunately it is here to stay. The problem is that criminals often have very little to lose in making their threats anonymously from far-flung places, and they are rarely caught. The best that you can do is to be aware of the risks and take all the relevant precautions to reduce the risk of becoming a victim.<
Infosec Institute provides a detailed section on digital extortion.
Security Intelligence also has detailed information on the topic.
Microsoft provides some good information on ransomware and what to do if your computer is affected.