Cyber Extortion – A Troubling Trend

By: Krista M. Cyber Threat Intelligence Analyst, NJCCIC

There are several reasons why individuals may choose to become hackers. Some people might do it out of curiosity or for personal gratification. Others do it for financial gain or to steal intellectual property. Some consider themselves “hacktivists,” a relatively new term used to describe those who hack to promote a personal or ideological agenda. There are even state-sponsored hacking groups who are hired and trained to commit cyber-espionage against foreign governments and military establishments. Despite all of these motives, however, there is a growing trend that no one can afford to ignore – cyber extortion.

­­Cyber extortion is a threat against a person or organization combined with a demand in order to prevent or stop a cyber attack from occurring. Oftentimes, the demand is some form of monetary compensation. For instance, in 2007, Finnish phone manufacturer Nokia was targeted by an attacker who stole the encryption key used in the company’s proprietary Symbian operating system and threatened to make the key public if payment demands were not met. Unfortunately, due to a botched sting operation, Nokia lost several million euros to the attacker who got away without a trace. In 2014, code hosting provider Code Spaces was forced to close after they refused to meet the payment demands of an attacker who launched a distributed denial-of-service (DDoS) attack against them and breached their online control panel. The attacker deleted most of Code Spaces’ data, backups, and machine configurations, leaving the company’s database so badly destroyed that they could not financially afford to recover.

Just last month, four New Jersey online casinos were targeted in a similar way, when an attacker launched a DDoS attack against the sites for 30 minutes and then threatened a “more powerful attack” if a Bitcoin ransom wasn’t paid. The casinos refused to pay the ransom and, fortunately, successfully mitigated the attack. The director of New Jersey’s Department of Gaming Enforcement did note that the attack “had the potential to not only negatively impact the targeted casinos but also all business in Atlantic City who share the same ISP provider.” 

This year, we’ve also seen a dramatic rise in the use of ransomware, a type of malicious software attackers use to extort money from victims by restricting access to their systems or files until payment demands have been met. (Last month, the NJCCIC published detailed analysis on ransomware here.) Ransomware infections can quickly lead to lost data and even crippled networks if not discovered and remediated in time. Payment of the ransom does not necessarily lead to full data or system recovery.

Most recently, though, the data breach that has everyone talking is that of the now-famous Ashley Madison website owned by Avid Life Media (ALM). On 12 July 2015, a group of hacktivists known as the Impact Team announced that they had successfully compromised ALM’s database containing personally identifiable information (PII) of 37 million Ashley Madison website users and threatened to release the information to the public. This was an obvious case of extortion from the get-go, but one glaring difference between this breach and others is that these hackers did not demand monetary compensation from its victim. It was pretty clear as it unfolded that this breach was shaping up to be similar to the Sony Pictures hack of late 2014, when a group of hackers identifying themselves as the “Guardians of Peace” held over 100 terabytes of Sony’s data hostage over the impending theatrical release of the film, The Interview. The FBI later attributed the attack to a state-sponsored North Korean group, and it became clear the attack was an act of retribution; those responsible wanted to impose their will over the company. Although Sony Pictures relented and cancelled the film’s release, it did not stop the hackers from leaking the company’s sensitive data.

During the ALM breach, the hackers demanded the company permanently close down two of its dating websites as punishment for defrauding paying customers whose information was not removed even after paying an extra fee for the privilege. Unlike Sony Pictures, ALM did not cave into the group’s demands so, a little over a month later, the group made good on its promise to leak the massive trove of customer data. Initially, the data dump appeared only on the Dark Web but it didn’t take long before it was uploaded to Clearnet websites like Pastebin for all to see. Other hackers quickly created websites allowing anyone to easily search for email addresses found in the leak. Additional extortion campaigns surfaced as hackers contacted Ashley Madison account-holders and threatened to notify their spouses and jobs if they didn’t meet their payment demands.

Despite the fact that there are many differing opinions of who’s ultimately responsible for this breach, one thing that everyone can agree on is how devastating the effects of cyber extortion can be. From the loss of businesses and livelihoods to public embarrassment and the potential for victims to harm themselves, the ripple effects from these types of attacks can be far-reaching. That’s why it’s so important, now more than ever, to protect yourself and your data by knowing what the latest threats are and how best to prevent and mitigate cyber attacks. Consider becoming a member of the NJCCIC today to receive updates on the latest cyber threats and vulnerabilities, complete with full-scale analysis, prevention techniques, and mitigation strategies that you can share with your organization and the people you care about the most.