Digital extortion has evolved into the most successful criminal business model in the current threat landscape, and Trend Micro researchers predict that it will continue to grow rampant because it’s cheap, easy to commit, and many times the victims pay.
Attackers can go after a wide variety of targets
The line between blackmail and extortion is blurred in the digital realm.
“Many digital crimes we normally think of as blackmail are, in fact, extortion — like ransomware,” the researchers pointed out.
“Likewise, some crimes categorized as extortion are actually not. Sextortion comes to mind, wherein an individual is forced to perform acts of a sexual nature under the threat of having compromising material regarding them exposed online.”
In short, any attempt by a criminal to coerce a victim into doing something – paying money or performing a favor — falls within the realm of digital extortion. But the big difference between of offline and online extortion is the wide variety of assets that can be targeted in the digital domain.
- Encrypt company secrets
- Steal and threaten to divulge customer or other compromised data
- Lock devices and ask for ransom in exchange for giving back access to device
- Ask for money in exchange for stopping attacking sites
- Ask for money in exchange for fixing a hacked process or to not disrupt processes or sabotage production, and so on.
End users, on the other hand, are usually targeted with ransomware or become victims of sextortion.
Also, some users who want to keep their (potentially compromising) online personas separate from their real identities have lately been targeted by attackers who threaten to reveal their names publicly if they don’t pay up (e.g., in the wake of the Ashley-Madison breach).
Successful approaches and future attempts
How successful the attackers are in blackmailing targets depends on how much they ask and what leverage they have.
“Given data breach laws and regulations and the very significant impact hacks can have on a company’s reputation, the recurring cost of the extortionist’s fees may fall within the corporate victim’s loss tolerance for brand protection. In that case, some corporate victims may decide to simply pay,” the researchers noted.
Sextortionists, on the other hand, are often successful, and especially when they don’t ask for money, but (usually sexual) favors – the victims panic and comply, and by doing so provide the extortionist with more material for blackmail.
The researchers predict more and more extortionists to take advantage of social media and threatening users and companies with smear campaigns.
Machine learning capabilities that can be used to create convincing face-swap videos will likely only add to the problem, for private and public individuals alike.
A classic smear campaign is more effective in the digital world than in real life.
“Digital data lasts longer than real-world news: a successful smear campaign in 2016 may still be showing high in search ratings in 2017 or later. News can also spread faster online, with social media able to transmit news – fake or otherwise – with the click of a button. That is decidedly a factor in these attacks.”
The researchers expect ransomware peddlers to focus their attention on industries and companies that yield the most return, such as those in the healthcare and manufacturing sectors. They also expect ransomware to be perfected (quicker encryption of files, speedier infection and spreading, minimized interaction with the victim, dynamic pricing).
Finally, with the increasing use of IoT devices, wearables, and smart cars, digital extortionists can be expected to hijack devices, prevent users from accessing them or rendering them inoperable if they don’t pay up, stealing interesting data stored in them as holding it for ransom, and so on.
“Another way cybercriminals could bridge the gap between the digital space and the physical world: requesting physical favors as payments instead of mere monetary payment. As we have alluded previously, a generic blackmail attack is likely to fail. However, a person with enough access to a building can be blackmailed to provide temporary untraceable access in exchange for his or her naked pictures not being made public,” the researchers noted.
“With this in mind, we can also see how attackers with political agendas may spy on influential leaders and hold information for ransom in exchange for political advantages or perhaps other smaller favors.”
It is, in fact, possible that these situations already happen, but as they are unlikely to reach public attention, we don’t know about them.
Trend Micro advises companies to have potential digital extortion scenarios figured out, so they can react quickly and adequately.
DDoS attacks and smear campaigns should be countered by sharing the situation with the press and asking administrators of the sites where the smear campaign is being run to help with prevention.
“In incident response plans, any new or novel assets should be taken into account. Assets such as blockchain technology accounts, wallets, and the like should be reflected in the plan, as well as what to do when those are compromised or attacked. The same is true for any business process that is susceptible to being attacked. Any system involved should be accounted for and a viable strategy to deal with extortion attacks should be devised ahead of time,” they noted.
Individuals who are targeted with sextortion must know that the demands will never end, and should not give into them.
“A solution here is to go to the authorities to report the incident and hopefully trigger an investigation that would lead to the arrest and indictment of the culprit. Conversely, when the victim gives less value to the material the extortionist already has, the data also loses value in the attacker’s eyes and will be less likely to use it,” the researchers concluded.