Extortion is an ancient practice that has been widely used throughout history, and it didn’t take long for this practice to be adopted by cybercriminals, presenting a dangerous combination of data exposure and extortion.
This combination has been causing significant losses, as crimes involving data exposure and extortion rank among the most common practices.
According to the FBI, $368,284,871 was lost in extortion cases from 2015 to 2021. Given these losses, it is urgent to understand the tactics, risks, and how to mitigate these threats, which we will discuss in this article.
Historically, the first case of cyber extortion occurred in 1971, as reported by Thomas Whisteside, when two reels of magnetic tape from a Bank of America agency in Los Angeles were stolen. The criminals attempted to extort the target, but it did not succeed because a tape backup of the material existed.
Over time, cyber extortion strategies have evolved beyond merely stealing information and demanding payment. Today, they involve various techniques that require deep knowledge in different specialties and target different types of confidential data.
When discussing theft and extortion, there are two categories of data prone to exposure:
These categories shed light on the subject and facilitate understanding different data exposure strategies. Let's now look at some of the main tactics:
Distributed Denial of Service (DDoS) attacks are tactics used to disrupt the operations of a system or network by overloading it, leading to partial or total unavailability. DDoS elevates cyber extortion to another level, and as we will show later, it can be applied in ransomware attacks. The strategies can be applied in several different ways.
Starting with simple DDoS attacks, attackers use a botnet to disrupt targeted networks, applications, or services by flooding them with internet traffic, slowing them down until they stop functioning completely. They then demand an initial ransom from the victim.
Despite being relatively simple, this strategy is concerning because it does not require much money or coding skills. An example is the sale of DDoS attack kits on the Deep & Dark Web for $10.
More sophisticated DDoS attacks are classified as subtraction attacks. These attacks flood a firewall or IPS device while maintaining an internal list of real-time connections, aiming to track open internal connections for exploitation, manipulating the network without interrupting the victim's connection, and avoiding suspicion.
Subtraction DDoS attacks have a very short duration, making detection difficult. In some cases, these attacks last longer as a distraction strategy. While administrators focus on resolving the DDoS, the attacker can exploit other identified vulnerabilities. These attacks make the administrators' job even more complicated, as they may use advanced protocol manipulation as a distraction method.
These tactics are used for data exfiltration, preparing the ground for ransomware attacks, a strategy that has been worrying cybersecurity leaders.
Ransomware has become a significant concern for organizations and security teams worldwide. In 2022, ransomware attacks dominated the threat landscape, nearly doubling in volume compared to the previous year, resulting in a total cost of over $20 billion.
When discussing data extortion, it is essential to understand that ransomware has become a profitable market for cybercriminals. Since 2020, strategies have evolved, allowing for double and even triple extortion attempts, with stolen data using traditional network encryption and the well-known ransom demand. Therefore, it is worth analyzing in more detail the techniques of data exfiltration and extortion through ransomware attacks:
Besides the various possibilities in data exfiltration, it is important to understand multi-layered extortion strategies, which are transforming the ransomware attacks we know. Cybercriminals use these strategies to increase the profitability of their malicious actions. This happens because triple extortion attacks extend the range of affected victims, increasing financial returns.
These tactics involve data encryption, the threat of leaking confidential data, and a third tactic, usually a DDoS attack, used to increase the attacker's persuasive power. Yes, DDoS attacks can be used both separately and in triple extortion.
An example of recent triple extortion ransomware is BlackCat. Discovered in November 2021, this ransomware uses audacious strategies to commit its crimes. The attackers recruit affiliates to breach corporations and encrypt devices. With highly customizable tactics, the ransomware enables execution in various corporate environments.
Using Rust for threat writing, a much safer programming language than C and C++, the group shows how data extortion strategies are becoming increasingly difficult to combat. Rust is a customizable language that enables dynamic and individualized attacks.
Finally, quadruple extortion. Although rarer, some cybercriminal groups focused on ransomware attacks, such as the DarkSide operators, execute these strategies. In quadruple extortion attacks, attackers combine layers of encryption, exfiltration, DDoS attacks, and direct communication through call centers to the affected organizations' clients. This contact can also occur via emails or VoIP calls.
Exploiting these layers and the levels of extortion vary according to the ransomware group; furthermore, the levels are not always executed in order, meaning an attack can seamlessly move from double to quadruple extortion.
Even though strategies and tactics vary, the objectives of data exposure and extortion attacks focus on cybercriminals' profitability. In extortions involving ransomware or DDoS attacks, cryptocurrency transactions achieve profitability.
Moreover, the damages involving data breaches and exposures encompass losses from all sides: costs for attack interruption, information recovery (when possible), and resuming operations. Other expenses that are not always calculated involve stolen credentials.
Undeniably, strategies for exposure and extortion are numerous, along with various forms of profitability from such practices. Therefore, proactive measures capable of mitigating such risks strategically become fundamental.
The first step is understanding that cybercriminals use extortion, exploiting their victims' fear. They promise data release in exchange for ransom payments. However, there is no guarantee that the information will be returned, as the victim is negotiating with a criminal. Therefore, we recommend that no company interacts with or pays the demanded amounts in data extortion incidents.
Combating and mitigating data exposure requires detailed and assertive strategies since exploitation vectors and tactics are diverse. Therefore, understanding the potential vulnerabilities associated with these threats is crucial.
Some examples include:
There are numerous vulnerabilities, and protecting against these threats requires a new, comprehensive, and proactive approach, such as Cyber Threat Intelligence (CTI). Providing more detailed visibility into attacks, CTI helps combat advanced and emerging threats, such as exposure and extortion tactics.
Axur offers a CTI solution with advanced investigation capabilities, combined with Deep & Dark Web monitoring, providing strategic information to investigate and address incidents involving data exposure and extortion.
Managed Security Service Providers (MSSPs) are pivotal in defending organizations against data exposure and extortion threats. MSSPs utilize advanced cybersecurity tools and threat intelligence to provide continuous monitoring, real-time threat detection, and fast incident response. By leveraging platforms like Axur’s, MSSPs can proactively identify vulnerabilities and mitigate risks associated with cyber extortion and data breaches. This proactive approach not only helps protect sensitive information but also maintains the trust of their clients. The expertise and resources provided by MSSPs are crucial for navigating the complex landscape of modern cyber threats, ensuring comprehensive protection for businesses.