Businesses urged to prepare for extortion campaigns

Cyber criminal groups are promising rewards of £276,300 a year on average to accomplices who help them target high-worth individuals with extortion scams, a research report reveals.

The reward promises are even higher for accomplices with network management, penetration testing and programming skills, according to researchers at risk protection firm Digital Shadows.

One threat actor, the report said, was offering £600,000 a year, with add-ons and a final salary after the second year of £840,000.  

The main method of extortion where criminals deem potential victims to be particularly vulnerable is so-called “sextortion”.

Digital Shadows tracked a sample of sextortion campaigns and found that from July 2018 to February 2019 over 89,000 unique recipients faced around 792,000 extortion attempts.

An analysis of bitcoin wallets associated with these scams found that sextortionists could be reaping an average of £414 per victim. 

The campaigns follow a similar pattern, the researcher found, in which the extortionist provides the target with a known password as “proof” of compromise, then claims to have video footage of the victim watching adult content online, and finally urges them to pay a ransom to a specified bitcoin address.

However, the researchers said other campaigns can be even more sinister, with one spam campaign from December 2018 claiming that recipients will be “killed” if they did not pay.

Extortion is in part being fuelled by the number of ready-made extortion materials readily available on criminal forums, the researchers said, adding that these are lowering the barriers to entry for wannabe criminals with sensitive corporate documents, intellectual property and extortion manuals being sold on by more experienced criminals to service aspiring extortionists for less than £10.

In one example, seen by Digital Shadows, the guide specifically focuses on a sextortion tactic whereby the threat actor begins an online relationship with a married man and then threatens to reveal details of the affair to his partner unless a ransom is paid.

The guide claims this extortion method is the easiest for “novice”’ threat actors to start with, suggesting they could earn between £230 and £380 per extortion attempt. Dedicated subsections exist on criminal forums for this type of dating scam.

Even greater levels of sophistication could be around the corner, the researchers warn, if so-called “crowd-funding” schemes take off. In April 2018, threat actor “thedarkoverlord” stole documents belonging to the insurance provider, Hiscox, including files related to the 9/11 attacks in the US. The threat actor hoped to play on the public’s appetite for 9/11-related controversy and encourages people to raise funds to view the documents. Currently this campaign has amassed around £8,904.  

Crowdfunding models such as this, the researchers said, allow extortionists to raise funds from the general public rather than relying on victims giving in to ransom demands. Organisations dealing with inflammatory or sensational information should therefore consider how they would respond if an attacker opts for this course of action, they said. 

Rick Holland CISO and head of the Photon Research Team at Digital Shadows said the research shows that cyber criminal groups are increasing their targeting of high net worth individuals and those who hold positions of power within companies.

“Many threat actor groups are actively looking for collaborators to help them scale their operations,” he said.

According to Holland, widespread and opportunistic extortion campaigns are also lucrative. “The social engineering aspects of these emails prey on the recipients and entice them into paying the extortion amount.

“Unfortunately, our analysis of a select number of the campaigns shows us the criminals have amassed nearly £230,000 in this way. Education and minimising your personal and professional online exposure are essential for thwarting extortionists goals.

“Since the lines between our personal and professional lives are so blurred, firms should educate their staff and tell them never to pay out a sextortion request,” he said.

Digital Shadows advises the following to reduce the risk of extortion:

• Do not respond to sextortion emails. These scams are generally mass, opportunistic campaigns. Treat them as spam.
• Use HaveIBeenPwned to find previously breached accounts. Sextortion emails sometimes include a previously breached password that belongs to the victim in an effort to add legitimacy to the email. If you have email accounts that have been publicly exposed, update the password for the account and enable multi-factor authentication if possible.
• Develop a ransomware playbook. Regularly back up data and store sensitive files in detached storage away from the main network. Do not forget to periodically test your backup and recovery processes. The wrong time to identify flaws in your disaster recovery strategy is after all your critical data has been encrypted. 
• Shrink your potential attack surface. Make remote-access solutions, such as remote desktop protocol, accessible only over a virtual private network (VPN), and disable all other legacy or unnecessary features to harden your system against attack. Identify your most critical systems and apply supplier patches to publicly known vulnerabilities.
• Apply best practices for user permissions. Remove local admin rights, restrict execution privileges on temporary and data folders that ransomware typically execute from, and implement whitelisted application lists.
• Secure email users. Strong spam filters and restrictions around email attachments can help prevent spam extortion emails and malware from reaching the users’ email boxes.