While organizations around the world are coming to terms with ransomware, a new cyberthreat is growing in popularity. Extortionware attacks can affect both organizations and individuals, and may continue to pose a risk long after defenses have been breached.
When hackers gained access to a system in the past, they rarely cared about specific details within the data they encrypted or stole. But extortionware is changing that.
Ransomware remains the fastest-growing category of cybercrime. It occurs every 11 seconds and is responsible for a large part of the $6 trillion of damage that hackers will inflict this year alone. In 2020, incidents of ransomware grew by 458 percent, according to Bitdefender’s 2020 Consumer Threat Landscape Report.
What makes ransomware distinct from past forms of corporate data breaches is that, in its simplest form, the aim of a ransomware attack is not primarily to “steal data.” Instead, ransomware encrypts data necessary for ongoing operations and denies access to the victim, which can shut down a business indefinitely. Stealing and selling data isn’t the point. Instead, these attacks extract payment in exchange for decrypting data and “returning to normal.”
In other cases, cybercriminals will target specific data sets in order to steal them. Historically, exploiting details within datasets has often been the aim of other individual bad actors, downstream of the hackers themselves.
Extortionware, meanwhile, combines elements from data theft and ransomware models. For cybercriminals using extortionware, any sensitive files or personal information about employees extracted from a victim’s servers or found via other sources are now a valuable tool for either facilitating ransom payouts or demanding ongoing payments.
Ransomware- Encrypting your data and holding it for ransom.
Extortionware – Hackers steal your data to extort money as exposing this data will cause even more harm than losing it.#extortion @dataprotection #itsecurity #cybersecurity #informationsecurity #datasecurity #infosec— Parvez Diwan (@ParvezDiwan) April 27, 2021
The damage radius from an extortionware attack can be wider and more prolonged than that of a ransomware attack. In an example from 2017, cybercriminals released unseen episodes of the TV show “Orange Is the New Black” even after receiving a payment from Netflix. Late last year in Finland, a data breach of a psychiatric care provider’s records saw hackers demanding payments under threat of exposing patients’ mental health evaluations. Worryingly, in this case, the hackers not only requested payment from the provider, but also targeted individual patients. A successful attack on a U.K. weight loss clinic recently resulted in similar demands where threat actors used before-and-after shots of well-known patients as leverage for targeted payment requests.
What might seem like otherwise unimportant personal information is now being weaponized by cybercriminals to extort both individuals and connected organizations beyond just initial payment demands. Sizing up this threat, cybersecurity company Emsisoft estimates that extortionware attacks caused $25 billion in damages in 2020, a sum likely to rise further this year as cybercriminals refine their methodologies.
Technology Is Making Extortionware More Available
While the concept of extortion and even cyber extortion is nothing new, the growth in this kind of attack mechanism is being driven by several factors, including rapidly increasing technological capabilities among threat actors. Starting with attacks from the Maze group in 2019, cybercriminals now have access to strains of ransomware that enable this devastating double method of extortion (i.e., encrypting victims’ data while also stealing this data and threatening to expose it if payment demands are not met).
Even though the Maze group has made enough money to retire officially, cybercriminals have easy access to other advanced ransomware strains, like Doppel Paymer. These new strains allow bad actors to move laterally within networks and search for potentially compromising material long before a victim discovers an attack or their systems are shut down. As a result, even after a victim pays an initial payment demand, more demands are likely to follow based on the threat of information exposure.
These highly capable strains are also accessible to more threat actors than ever, thanks to the evolution of Ransomware-as-a-Service. Because threat actors can now effectively “subscribe” to ransomware providers, similar to legitimate SaaS business models, the availability of advanced malware has skyrocketed. For as little as $500 per month, threat actors can leverage malware – previously only available to well-funded or state-sponsored groups – that is capable of paralyzing and exfiltrating data from the most well-defended organizations. The unfortunate side effect of more effective, lower-cost ransomware is that cybercriminals now have more resources free to focus on deploying attacks in the first place.
The Potential for Weaponized Information
In addition to increased technological capability, cybercriminals using extortionware are benefiting from the growing volume of employees’ personal data accessible online. By combining information volunteered by employees through social media with what can be found for sale by data brokers, building up an accurate picture of an individual within an organization is regrettably easy. Matched with any compromising information uncovered during a data breach, employee personal information profiles can be quickly created and weaponized by cybercriminals.
On one level, employee personal data allows cybercriminals to craft more effective social engineering campaigns and phishing scams, and thereby multiply their extortion efforts. However, by placing extreme pressure on individuals by threatening to release compromising information, cybercriminals can also elicit irrational behavior to aid their path to a ransom payout from a victim’s employers. An individual within an organization, under the pressure of having sensitive personal information about them published, is naturally more likely to make the kinds of errors or disclosures that result in a broader breach.
Your Organization’s Unsecured Risk Vector
Even with network endpoints hardened and protected by advanced antivirus solutions, organizations are still increasingly vulnerable to extortionware tactics. This vulnerability stems from the hard-to-defend nature of the primary extortionware attack vector within most companies: employees.
Because they inadvertently, negligently or, in some cases, intentionally facilitate the vast majority of data breaches, employees remain the number one security weakness for most organizations. With employee error the cause of over 90 percent of data breaches, the rise of extortionware is likely to make the human weakness within most organizations’ security posture even more pronounced.
The easy availability of personal information collected by data brokers such as Acxiom, who offer for sale information including phone numbers, home addresses and email addresses for over 2.5 billion people, further compounds employee vulnerability. Seeing how threat actors can identify and profile targets for both network entry and extortion legally online, deploying extortionware is easy.
Defending Against Extortionware
With extortionware making both technological defenses and – through its continued method of action – remediation efforts ultimately less likely to succeed against attacks, organizations need to focus on hardening the human aspect of their cybersecurity approach.
Doing so means taking a proactive stance to employee protection across two broad fronts: training and organizational culture.
Implementing Extortionware-Focused Cybersecurity Training
Though the vast majority of organizations carry out some form of security awareness training, studies show that about 40 percent of employees don’t know what ransomware is, and almost 50 percent are oblivious of how to respond to a ransomware attack. Since extortionware is a relatively recent trend, it is more than likely that even more employees are unaware of this new cybersecurity risk — and the actions they should take if they fall victim to this crime.
As such, it is vital that employers provide staff with extortionware awareness and resolution training. Giving employees access to resources to deal with extortionware in the event that they are targeted, along with a promise of assistance in resolving the situation, is equally important.
However, bear in mind that the vast majority of employees tend to forget most of the material covered during training sessions within just two days. For training to be effective, it needs to be regular, relevant and lead to a pathway for employees to escalate concerns about extortion to their managers without fear of repercussion.
At the most basic level, getting training right also means tailoring its delivery to the reality of employee lives. Most employees are already struggling to keep pace with the growing demands from increasingly connected working environments. Rather than getting them to sit through lectures, organizations should reconsider how they can incorporate gamification and challenge-based learning into training sessions — techniques that have been proven to be far more effective at improving employees’ retention of security training.
Creating a Culture of Security
Besides training employees to avoid threats like extortionware, effective human-based cybersecurity also means ensuring your organization’s cultural response to security issues is beneficial.
This concept entails taking steps to increase openness around security within an organization and avoiding a “cover-up” culture that can rapidly escalate extortion-focused cyber threats. If an employee is being threatened with extortion, they should feel confident in their ability to inform their superiors safely and in confidence.
Safe organizations take a proactive rather than a reactive approach to their employees’ personal online security. Having a proactive, security-aware culture means offering employees steps to protect their private information security both within and outside the workplace – training them on how to take back control of exposed personal information while also giving them actionable advice and tools to stop their personal data from being exposed in the first place.
Final Thoughts
As parts of the world emerge from the COVID-19 pandemic, financially motivated threat actors show no sign of slowing down their efforts to find new ways of maximizing their chances of receiving a financial return. At the same time, despite record spending on cybersecurity, the human weaknesses at the heart of most organizations continue to grow more vulnerable.
Extortionware is the result of this paradox and, as long as employees form the most vulnerable part of an organization’s defensive posture, the threat that extortion poses will keep climbing. To protect the organization effectively, organizations need to double their efforts to secure their most valuable resource — their employees’ personal information.
Rob Shavell is CEO of
