Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/30/2018
03:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Digital Extortion to Expand Beyond Ransomware

In the future of digital extortion, ransomware isn't the only weapon, and database files and servers won't be the only targets.

When we think of digital extortion, we typically think of ransomware. But cybercriminals now are looking outside ransomware for new ways to shake down organizations.

Cybercriminals have learned that many businesses will pay if a ransomware attack cripples their day-to-day operations. Ransomware drove the spike in digital extortion in 2017 and remains cybercriminals' weapon of choice, according to a new Trend Micro study "Digital Extortion: A Forward-Looking View."

But threat actors are exploring new extortion tactics. "Some of the attacks we've seen highlight a shift in the model itself," says Trend Micro chief cybersecurity officer Ed Cabrera. "As we expand our digital footprint, I think it creates an enormous opportunity for attackers to identify areas where they can have immediate impact."

The criminal extortion framework has been around in the physical world for a long time, he continues. Now, in the digital world, it's just getting started. Attackers are learning their chances of getting paid increase exponentially if they target certain files, systems, or databases. While ransomware will remain popular, but other types of threats are starting to appear, according to Trend Micro.

Extortion attacks and critical infrastructure

"Going forward, you would be remiss to just focus on files," says Cabrera. Cybercriminals will begin to leverage the growth of IoT, specifically industrial IoT, to extort money from victims. Businesses that need to be up and running at all times are especially vulnerable.

"Any organization that has real-time services, real-time operations that are impacted, will be targeted," he continues. Critical manufacturing and healthcare are prime examples, with attacks that target manufacturing plants and robots as well as sensitive files and documents.

These plants and machines typically run on legacy systems and diverse hardware that would be difficult - if not impossible - to patch or upgrade. For attackers seeking old vulnerabilities, these systems are prime targets. Trend Micro's report highlights supply chain disruption, in which attackers insert logic bombs or Trojans into specific network locations, as one example. Victims will need to pay to find the bugs' locations so they can disable them.

Digital files, normally targeted in ransomware attacks, are not as well-protected as critical processes. Threat actors want to "peel the onion," Cabrera says, and get to core infrastructure data that businesses will pay to save. "They're going to go deeper and deeper into organizations to find those processes … if those are impacted, you know they're going to pay."

Social media extortion is another growing threat. One form is the smear campaign, which spreads fake information and demands victims pay in orde to stop it. These campaigns, once more common among celebrities and politicians, have begun to target brands and executives. Once a business's reputation has been tarnished online, it is difficult to rebuild.

"We live in a reputation economy," Cabrera points out. "CEOs and board members, especially in this day and age of social, are heightened to the fact that anything they say, good or bad, is taken and can be immediately seen [online]."

Ransomware isn't going anywhere

"I'd say ransomware isn't going away; it's just going to continue to evolve," says Cabrera.

Security experts across the industry have noted the spike in ransomware, which hit a 90% detection rate for enterprise victims in 2017. More than 50% of businesses were hit with ransomware last year and on average, they were struck twice, reports Sophos.

Ransomware has proven a reliable moneymaker for cybercriminals and financial drain for victims. The median total cost of a ransomware attack was $133,000, Sophos found. This includes ransom, downtime, manpower, device cost, network cost, and opportunity cost. Five percent of the survey's 2,700 respondents said total ransomware cost ranged from $1.3 million to $6.6 million.

Over the next year, Trend Micro expects ransomware criminals will add new features to their digital weapons by reusing "the old book" of traditional malware techniques. This may include PE (portable executable) infectors and more aggressive delivery tactics to drive the speed and spread of attacks. Analysts also suggest criminals will create systems to minimize their interaction with victims.

The arrival of GDPR will shift cybercriminals' extortion strategies, Cabrera says. They understand the upcoming changes, and the penalties companies will have to pay if they're not compliant. He anticipates they'll use the new rules as leverage to get victims to pay for data.

"They're just scratching the surface in understanding what motivates organizations," he explains. "Not only are they fine-tuning the tools they're using to go after organizations, they're understanding all the financial aspects … I absolutely believe GDPR will be utilized as a tool to affect the payment of ransom."

To pay or not to pay?

The question remains: when you're hit with an extortion attack, should you pay? If your company is at the point where this is your last option, you have failed, Cabrera says.

"Gone are the days where we had ransomware hitting our personal PCs and it was more of a nuisance than an enterprise risk," he notes. "You should have a pretty robust plan to deal with digital extortion."

There are many reasons not to pay, but organizations that fail to plan find themselves weighing the pros and cons of payment.

If, or when, they are attacked, businesses need people, processes, and technology in place to mitigate the risk. There is no guarantee you'll get your data back when it's taken. Further, even if you do get it back, there is no guarantee it hasn't been copied or compromised.

"Even if that data has been slightly altered, that could impact operations for weeks or months to come," Cabrera says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17789
PUBLISHED: 2019-09-20
Prospecta Master Data Online (MDO) allows CSRF.
CVE-2019-11280
PUBLISHED: 2019-09-20
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain ...
CVE-2019-11326
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product is protected by a login. A guest is allowed to login. Once logged in as a guest, an attacker can browse a URL to read the password of the administrative user. The same pro...
CVE-2019-11327
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
CVE-2019-14814
PUBLISHED: 2019-09-20
There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.