Not all cyber extortion is ransomware, and the threat isn’t just a technical IT matter
Not for the first time, I was recently involved in a case of threat extortion that had mistakenly been initially identified as a case of ransomware. This misunderstanding is common, but it’s also worrying because getting this wrong can lead to an incorrect response, which could be costly and damaging.
MAKE THE RIGHT CALL
For the case in question, the CEO of a European company received an email with a ransom demand. The criminal claimed to have accessed the company’s network, stolen large amounts of customer data, and threatened to sell it on the dark web unless he was paid a large ransom in Bitcoin. It seems that at this point, the CEO took the fact that the threat had come via email along with the mention of “network,” “data,” “ransom,” and jumped to the conclusion that this was one of those ransomware attacks that he was vaguely aware of.
Accordingly, the CEO called in his head of IT and asked him to deal with the matter. Next, the IT security team confirmed with relief that there was no ransomware on the network and then advised that the threatening email was typical of the many fake emails sent by bluffers. If it were a case of real ransomware, the threat would appear directly on the company’s screens. The conclusion was, therefore, that this was not a genuine threat and could be safely ignored.
Unfortunately, the IT team only got it half right. It was indeed not a ransomware attack. Instead, it was a genuine threat extortion. After ignoring a second email from the extortionist, the company discovered that examples of its customer data were appearing for sale on a criminal marketplace. Apart from anything else, this immediately created data privacy/GDPR challenges. At this point, the company called in external security advisers who correctly assessed the threat and asked for my advice.
“WHEN” NOT “IF”
Extortions such as this are far more common than it appears and this misperception leads many companies to believe, therefore, that it isn’t a risk for which they need to prepare. Threat extortions, along with kidnap for ransom, are one of the oldest forms of criminal activity and are still widely committed today. The curious thing is that it’s to the advantage of neither the criminals, the victims, nor law enforcement agencies to make this known. Therefore, we rarely see media reports of these crimes, leading to the assumption that they don’t exist. The problem with this, however, is that in many businesses the correct prevention, preparation, response, and recovery measures aren’t considered necessary precautions.
The difference with today’s threat extortion is that instead of a threat to, say, poison a company’s soft drinks on supermarket shelves, the cyber extortionist threatens to sell customer data and/or intellectual property on the criminal net. Most other aspects of this crime are similar to traditional threat extortion and its resolution requires specialist techniques, tactics, and procedures that aren’t part of an overworked IT department’s core competencies.
In 2022, personally identifiable information is a major commodity for criminals. The hotel industry knows well not only that it obtains and stores large amounts of such data as part of its business but also that large numbers of its employees and third-party vendors necessarily have access to this data. For the case in question, we identified that the extortionist was an employee of an outsourced call center and had downloaded the customer data at work onto a USB drive.