Extortion is an ancient practice that has been widely used throughout history, and it didn’t take long for this practice to be adopted by cybercriminals, presenting a dangerous combination of data exposure and extortion.
This combination has been causing significant losses, as crimes involving data exposure and extortion rank among the most common practices.
According to the FBI, $368,284,871 was lost in extortion cases from 2015 to 2021. Given these losses, it is urgent to understand the tactics, risks, and how to mitigate these threats, which we will discuss in this article.
Key Tactics of Data Exposure and Extortion
Historically, the first case of cyber extortion occurred in 1971, as reported by Thomas Whisteside, when two reels of magnetic tape from a Bank of America agency in Los Angeles were stolen. The criminals attempted to extort the target, but it did not succeed because a tape backup of the material existed.
Over time, cyber extortion strategies have evolved beyond merely stealing information and demanding payment. Today, they involve various techniques that require deep knowledge in different specialties and target different types of confidential data.
Categories of Data
When discussing theft and extortion, there are two categories of data prone to exposure:
- Data in Transit: These are data constantly in motion, sending commands and requests over networks to other servers, applications, or users. Data in transit are highly vulnerable, especially when moving through unprotected channels or to application programming interfaces (APIs) that enable applications to communicate with each other.
- Data at Rest: This is data stored on a system, whether a machine or a network. It is typically less vulnerable but more valuable. Different ways to steal this data exist, including the possibility of directory traversal attacks to gain unauthorized access to a server.
These categories shed light on the subject and facilitate understanding different data exposure strategies. Let's now look at some of the main tactics:
DDoS Attacks
Distributed Denial of Service (DDoS) attacks are tactics used to disrupt the operations of a system or network by overloading it, leading to partial or total unavailability. DDoS elevates cyber extortion to another level, and as we will show later, it can be applied in ransomware attacks. The strategies can be applied in several different ways.
Starting with simple DDoS attacks, attackers use a botnet to disrupt targeted networks, applications, or services by flooding them with internet traffic, slowing them down until they stop functioning completely. They then demand an initial ransom from the victim.
Despite being relatively simple, this strategy is concerning because it does not require much money or coding skills. An example is the sale of DDoS attack kits on the Deep & Dark Web for $10.
More sophisticated DDoS attacks are classified as subtraction attacks. These attacks flood a firewall or IPS device while maintaining an internal list of real-time connections, aiming to track open internal connections for exploitation, manipulating the network without interrupting the victim's connection, and avoiding suspicion.
Subtraction DDoS attacks have a very short duration, making detection difficult. In some cases, these attacks last longer as a distraction strategy. While administrators focus on resolving the DDoS, the attacker can exploit other identified vulnerabilities. These attacks make the administrators' job even more complicated, as they may use advanced protocol manipulation as a distraction method.
These tactics are used for data exfiltration, preparing the ground for ransomware attacks, a strategy that has been worrying cybersecurity leaders.
Ransomware
Ransomware has become a significant concern for organizations and security teams worldwide. In 2022, ransomware attacks dominated the threat landscape, nearly doubling in volume compared to the previous year, resulting in a total cost of over $20 billion.
When discussing data extortion, it is essential to understand that ransomware has become a profitable market for cybercriminals. Since 2020, strategies have evolved, allowing for double and even triple extortion attempts, with stolen data using traditional network encryption and the well-known ransom demand. Therefore, it is worth analyzing in more detail the techniques of data exfiltration and extortion through ransomware attacks:
- Automated Exfiltration: This technique focuses on automatic methods, such as traffic duplication, which speeds up data transfer from an infected system to a server.
- Protocol-Based Exfiltration: This method uses typical command and control protocols, such as symmetric, asymmetric, or unencrypted/obfuscated network protocols.
- C2 Channel Exfiltration: This strategy uses an existing command and control channel, encoding the data as normal communications, and minimizing outbound connections to avoid detection.
- Network Media Exploitation: Media such as Bluetooth and cellular data can be used as alternatives if other network options are inaccessible or not adequately prepared to exfiltrate data without detection risk.
- Scheduled Transfers: Data exfiltration can be done at specific times, a technique known as scheduled transfer. This technique combines data transfer traffic with normal activity, avoiding threat detection.
Besides the various possibilities in data exfiltration, it is important to understand multi-layered extortion strategies, which are transforming the ransomware attacks we know. Cybercriminals use these strategies to increase the profitability of their malicious actions. This happens because triple extortion attacks extend the range of affected victims, increasing financial returns.
These tactics involve data encryption, the threat of leaking confidential data, and a third tactic, usually a DDoS attack, used to increase the attacker's persuasive power. Yes, DDoS attacks can be used both separately and in triple extortion.
An example of recent triple extortion ransomware is BlackCat. Discovered in November 2021, this ransomware uses audacious strategies to commit its crimes. The attackers recruit affiliates to breach corporations and encrypt devices. With highly customizable tactics, the ransomware enables execution in various corporate environments.
Using Rust for threat writing, a much safer programming language than C and C++, the group shows how data extortion strategies are becoming increasingly difficult to combat. Rust is a customizable language that enables dynamic and individualized attacks.
Finally, quadruple extortion. Although rarer, some cybercriminal groups focused on ransomware attacks, such as the DarkSide operators, execute these strategies. In quadruple extortion attacks, attackers combine layers of encryption, exfiltration, DDoS attacks, and direct communication through call centers to the affected organizations' clients. This contact can also occur via emails or VoIP calls.
Exploiting these layers and the levels of extortion vary according to the ransomware group; furthermore, the levels are not always executed in order, meaning an attack can seamlessly move from double to quadruple extortion.
Data Exposure and Extortion: All Roads Lead to Profit
Even though strategies and tactics vary, the objectives of data exposure and extortion attacks focus on cybercriminals' profitability. In extortions involving ransomware or DDoS attacks, cryptocurrency transactions achieve profitability.
Moreover, the damages involving data breaches and exposures encompass losses from all sides: costs for attack interruption, information recovery (when possible), and resuming operations. Other expenses that are not always calculated involve stolen credentials.
Undeniably, strategies for exposure and extortion are numerous, along with various forms of profitability from such practices. Therefore, proactive measures capable of mitigating such risks strategically become fundamental.
How Not to Be a Victim and Protect Your Business
The first step is understanding that cybercriminals use extortion, exploiting their victims' fear. They promise data release in exchange for ransom payments. However, there is no guarantee that the information will be returned, as the victim is negotiating with a criminal. Therefore, we recommend that no company interacts with or pays the demanded amounts in data extortion incidents.
Combating and mitigating data exposure requires detailed and assertive strategies since exploitation vectors and tactics are diverse. Therefore, understanding the potential vulnerabilities associated with these threats is crucial.
Some examples include:
- Compromised Passwords
- Misconfigured Code Repositories: Enabling reverse engineering of code
- Misconfigured Network Devices
- Lack of Access Controls
- Lack of Application Isolation and Sandboxing
There are numerous vulnerabilities, and protecting against these threats requires a new, comprehensive, and proactive approach, such as Cyber Threat Intelligence (CTI). Providing more detailed visibility into attacks, CTI helps combat advanced and emerging threats, such as exposure and extortion tactics.
Axur offers a CTI solution with advanced investigation capabilities, combined with Deep & Dark Web monitoring, providing strategic information to investigate and address incidents involving data exposure and extortion.
The Essential Role of MSSPs in Preventing Data Exposure and Extortion
Managed Security Service Providers (MSSPs) are pivotal in defending organizations against data exposure and extortion threats. MSSPs utilize advanced cybersecurity tools and threat intelligence to provide continuous monitoring, real-time threat detection, and fast incident response. By leveraging platforms like Axur’s, MSSPs can proactively identify vulnerabilities and mitigate risks associated with cyber extortion and data breaches. This proactive approach not only helps protect sensitive information but also maintains the trust of their clients. The expertise and resources provided by MSSPs are crucial for navigating the complex landscape of modern cyber threats, ensuring comprehensive protection for businesses.
Experts in creating relevant external cybersecurity content to make the internet a safer place.