Cyberextortion is similar to physical extortion in many respects, but before drawing comparisons it’s important to understand what those terms mean. Legally, as defined by the Hobbs Act, extortion is “the obtaining of property from another, with their consent, induced by wrongful use of actual or threatened force, violence or fear, or under color of official right.” To everyone else, it’s the practice of demanding cash for not actioning threats. Cyberextortion, on the other hand, is a digital crime where hackers hold a victim’s data, website, computer systems, or other information hostage until their demands are met – typically a ransom.
Closely related is kidnapping, the action of abducting and retaining somebody, typically for financial gain or political action. It’s an unscrupulous crime but far from a new one, having occurred as early as 1754, when a Native American raiding party kidnapped a family in Charlestown. The first confirmed kidnapping for ransom took place in 1874, when four-year-old Charley Ross was abducted by a candy-wielding stranger (hence the lesson we’re taught as kids). The perpetrator demanded $20,000 for Charley’s safe return, but this wasn’t paid, the police believing it would set a dangerous precedent. Little Charley – perhaps as a result – never came home.
In 1886, Robert Louis Stevenson brought abduction to the masses via his serialized novel Kidnapped, and the subject has since inspired lyricists, filmmakers and everyone in between. As consumers, we are fascinated by abductions and hostage situations because of the uncertainty and jeopardy they entail. There’s a reason people still discuss Madeleine McCann, and there are many examples of high-profile kidnappings and abductions being turned into documentaries, including the demise of US journalist James Foley.
In the world’s traditional extortion hotspots, kidnapping was a common threat directed at those who refused to pay extortion demands or didn't behave as instructed. These include Syria, Libya and – perhaps most notably – Mexico, where a record 1,700 kidnappings occurred in 2013. (One politically motivated abduction resulted in the murder of 43 students a year later). At present, 60 percent of all kidnappings occur in Africa, with the majority of those (43 percent) taking place in Nigeria.
Unsurprisingly, a kidnap equivalent is now rife online: ransomware. Joseph L. Popp, a Harvard-trained evolutionary biologist, kick-started this with his AIDS Trojan in 1989, which he delivered to global AIDS specialists via floppy disk. A trusted member of the scientific community, Popp claimed the disks featured a program for analyzing an individual’s risk of getting AIDS; however, the disks actually encrypted a machine’s files after 90 reboots and demanded $189, quite brilliantly, by invoice.
Things have progressed since Popp’s innovation, and rarely a day passes without ransomware taking an enterprise’s data hostage. Strains such as Sodinokibi, NetWalker and Ryuk earned cybercriminals millions of dollars in 2020, while half of all businesses were affected in the last year. Amid this cyber war, one topic continues to dominate conversation: should you ever pay the ransom?
Paying up may be financially viable in some cases, but whether it’s ethical is another question. To concede fuels an illegitimate industry (as the police feared in the Charley Ross case), and there’s no saying where the money will be spent. Cybercriminals are criminals. As such, their reach may extend to terrorism, human trafficking and beyond.
One respected cybersecurity consultancy likened the current situation to that of 1980s Italy, where the 'Ndrangheta crime syndicate would kidnap high-profile hostages for ransom. Most people were released when the ransom was paid, but this only emboldened the ‘Ndrangheta and caused paranoia among communities. In response – and at risk to human lives – the Italian government outlawed ransom payments and ransom insurance policies, thereby destroying the kidnapping industry. The consultancy suggests governments could end the ransomware war by taking a similarly hardline approach and banning all ransomware payments.
Physical extortion versus cyberextortion
Ben Hockman, Immersive Labs’ Crisis Management and Response Subject Matter Expert, dealt extensively with the physical extortion of companies by organized crime groups in the badlands of South America. He acknowledges that while there are similarities between on- and offline extortion, there are important differentiators too. For example, the former involves a person – a likely imminent threat to human life – while the latter concerns data. If refraining from paying saves human lives in the long run, then it’s important; it’s ethical. But humans aren’t usually in peril when it comes to cyberextortion. In fact, there has been just one reported ransomware-related death, and this was due to a hospital closure in Germany.
Despite the ethical challenge and legal risk, the cyber ransom and ransomware industries have grown exponentially, showing that, when push comes to shove, businesses will pay in order to stay afloat. And we must remember: the ‘Ndrangheta didn’t stop committing crime when ransom payments were banned – the group simply pursued other avenues. Threat actors would likely do the same.
"The cyberattack surface is growing by the day, so this is a really important consideration for companies. Paying may provide a band-aid in some instances. It might address the immediate issue, but organizations need to be situationally aware enough to quickly identify and address more complex technical and non-technical vulnerabilities in an organization. Payment might delay an issue, but it’s unlikely to serve as much of a deterrent after all."
– Ben Hockman, Crisis Management and Response Subject Matter Expert, Immersive Labs
The GDPR has increased the pressure on companies to pay too, which is likely the opposite of what was intended. Fines like the $35 million handed to H&M are so steep that organizations (and their insurers) know they will be better off paying threat actors. After all, it could be the difference between continuing trade or going bust. In regards to the aforementioned cybersecurity consultancy’s proposal, you can’t outlaw ransom payments while implementing laws that fine companies if their data is lost because they didn't pay a ransom. It’s nonsensical.
Cyberextortion typically involves a threat to cause damage using hijacked networks owned by external organizations, which complicates matters. The web of operational risks and strategic liabilities that may arise from a ransomware scenario therefore require a rehearsed response strategy – similar to a kidnap response in fact. The difference here is, it’s not a single priority, like the life of the victim in a kidnapping scenario; there are a myriad of considerations for modern businesses.
As well as demanding money in return for “hostaged” data, a cybercriminal may cause damage by sharing or auctioning customer or corporate data; for example, making the victim business liable to its customers. Worse, any client whose data has been affected may recover damages from the victim organization owing to its inability to secure its systems. As we’ve seen, the number of cyberattack victims due to a company’s data being held hostage can equate to millions, which is another differentiating, and arguably complicating, factor when it comes to cyberextortion. What is and should remain illegal, however, is making payments to known criminal or terrorist groups – so woe betide the companies who make fast payment without checking the recipient.
Preparing to respond
It’s clear that there’s no one-size-fits-all response to cyberextortion, and this is reflected in the statistics from Sophos’ State of Ransomware 2020 report:
- 26% of ransomware victims whose data was encrypted got it back by paying the ransom. A further 1% paid the ransom but didn’t get their data back.
- 56% of organizations whose data was encrypted got it back via backups.
The key to formulating a coherent response is assessing the financial (including operational, legal and reputational) consequences of not paying, against the risk that data is lost forever. But this can be near impossible under pressure – especially when there’s no clear escape route.
A cyberextortion response plan provides a useful guide rail, but because the potential online attack surface is so large, and there is no gold-standard approach for dealing with extortion events, the development of situational awareness and decision-making capacity among your executive leadership team is critical. Mark Harris, a crisis response expert at Blindside Limited, says, “When advising clients in responding to cyber extortions, response teams can become fixated on the technical aspects of the incident rather than assessing the wider implications and responding to the myriad of stakeholders, including business partners, customers and clients, regulators, and the public”.
The best way to improve these human skills in a crisis scenario is to practice cross-organizational response to online extortion at both a high level and a technical one. But many organizations don’t own an incident response plan, or they disregard the human element of cybersecurity by failing to stress-test their response teams in what is a challenging environment in reality. This is like living in a hurricane-prone area and not investing in defenses for your home.
The cost and effort of crisis response training has dissuaded organizations in the past, but you can now test human readiness without resource-intensive physical tabletop exercises. Immersive Labs’ Cyber Crisis Simulator is a browser-based solution that challenges teams to make critical decisions when dealing with emerging incidents such as ransomware outbreaks, insider threats, data breaches and spear-phishing attacks. It works on the principle that simulations are the best way to equip your people – practical exercises that build muscle memory in preparation for the real thing.
As physical and cyber threats converge, Immersive Labs will be developing crisis simulation scenarios that enable organizations to respond as a whole. Don’t wait for your data to be kidnapped. Book a demo and start preparing today.
11 February 2021