As the cybersecurity risk landscape continues to mature, new and unprecedented strategies continue to come to light. Cyber extortion is the latest threat to experience a marked rise in the proliferation and sophistication of attacks.
What Is Cyber Extortion?
Cyber extortion encompasses a broad collection of cybercriminal schemes that threaten harm to victims who do not meet hackers' demands. For example, ransomware is a type of cyber extortion wherein a hacker threatens to leave your personal data unusably encrypted if you do not pay for a key to unlock your files.
However, cyber extortion fees can go further than file encryption, and they can make more difficult demands than simply sending money to an anonymous Bitcoin account. Importantly, cyber extortion uses the threat of harm to achieve the attacker's ends, regardless of whether the harm in question is credible, feasible, or even possible.
Understanding cybersecurity threats requires judging the capability and intent of potential attackers. Cyber extortion, in its current form, muddies these distinctions.
For instance, cybercrime is its own global industry, with Cybersecurity Ventures predicting total cybercrime damages reach $6 trillion by 2021. But cyber extortion schemes can feature intents beyond the financial – such as personal revenge or politics.
It was a combination of these motives that shut down Rutgers University in a complex cyber extortion scheme in 2016. The perpetrator of the attack ran a cybersecurity firm, and would sell victims a unique, mysterious threat mitigation service – like a fireman being paid to put out a fire he started.
How Can You Protect Yourself Against Cyber Extortion?
While cyber extortion poses a great threat, it is not always a credible one. For extortion to work, it is not always necessary that the attacker actually gain illicit access to a victim's computer system.
The victim only needs to believe that the hacker has gained access to their computer system and is capable of doing damage. This is a key weakness to the cyber extortion strategy that reputable cybersecurity experts know how to handle.
Cybersecurity best practices apply to cyber extortion cases. If your organization uses high-quality managed network infrastructure and your employees follow a comprehensive cybersecurity policy, it is unlikely that a bad actor will be able to extort your company. Protecting yourself with a comprehensive security solution like Datto SIRIS allows you to call the extortionists' bluff.
The first step to handling a cyber extortion situation is to gauge the credibility of the threat. In most ransomware cases, the threat is credible because the attacker has already encrypted your files. In the Rutger's University case, the threat was credible because the attacker had already perpetrated DDoS attacks against the institution’s servers.
But if anonymous attackers fail to demonstrate that they have truly gained control of the victim's system, there is a good chance that the threat is not a credible one. Also, if the actual threat seems improbably difficult to carry out, there is a chance that the attacker is bluffing.
With some cyber extortion schemes, attackers simply send out the same message to a huge number of potential victims, hoping that someone will panic and pay up immediately.
Large-Scale Cyber Extortion Becoming Commonplace
Serious, large-scale cyber extortion cases do not fail to make headlines, such as the case of the City of Atlanta. In this case, the attackers crippled a large number of the city's critical systems, particularly targeting its judicial and law enforcement institutions.
Then, the attackers asked for $51,000 in Bitcoin within a short period of time. After that period elapsed, the attackers broadened the attack and deleted critical data. Atlanta is still recovering from the attack.
However, choosing not to pay the ransom was the right choice, nonetheless. There are important lessons to be learned from this example:
- Cybercriminals Cannot Be Trusted. Anonymous hackers promise to restore critical system functionality in an extortion scheme but have no incentive to keep their word.
- Giving in Perpetuates the Cycle. If you give in and pay whatever the attackers demand, you not only perpetuate the cybercrime cycle on a global scale, but also on a very personal one between yourself and the attacker. There is nothing stopping the attacker from seizing your systems again later on and asking for an even larger payout.
These truths apply universally to cybercriminal situations. The proliferation of cyber extortion is a result of the number of previous cybercrime victims who submitted to their extortionist's demands.
Want to find out how secure your systems are? Keep yourself safe from cyber extortion schemes by consulting with an experienced cybersecurity expert.