The Global Insight
2019 kidnapping and extortive crime trends in review
- Kidnap, Extortion and Threat Response
- Operational and Protective Security
- Cyber Incident Response
2019 kidnapping and extortive crime trends in review
The global kidnapping and extortive crime environment saw several notable developments in 2019. A spike in kidnapping in the Gulf of Guinea hit mariners particularly hard in the last quarter, with nine maritime kidnaps-for-ransom in the last two months of the year. Other notable shifts included the spread of virtual kidnapping scams into new countries. Homegrown variants were reported with growing frequency in Spain and the US as domestic criminal groups adopted their own versions of the crime. Finally, in 2019 numbers of ransomware attacks rebounded as cyber extortionists demonstrated their renewed intent and capability to target a wide range of sectors and demand high cryptocurrency ransoms.
Other baseline kidnapping trends and metrics broadly held steady in 2019 as most kidnappers maintained their tactics. However, there were shifts in the MENA region related to political instability, with high numbers of kidnaps reported around protests in locations such as Iraq.
High rates of kidnap in the Gulf of Guinea hit maritime industry
Control Risks recorded 29 successful maritime kidnaps-for-ransom in the Gulf of Guinea in 2019, representing a 60% increase compared with 2018. Of those, nine incidents occurred in the last two months of the year, making the last quarter particularly hazardous for the maritime industry.
Nigeria-based pirate gangs are now operating with increasing capability and range, meaning that they are active further from Nigerian waters and abduct larger numbers of victims at a time. In 2019, Control Risks recorded successful abductions from vessels operating in the waters of Ghana, Togo, Benin and Gabon, as well as several in Nigerian waters. Pirate groups will continue to widen the areas of high kidnap risk to more than 100 nautical miles (185km) from the Nigerian coast through the increasing use of motherships. In 2019, Control Risks recorded at least two incidents involving 19 or 20 foreign victims. Previously the average was between three and eight victims.
Maritime kidnapping in the Gulf of Guinea has ebbed and flowed over the last decade, and the levels seen in 2019 are not out of line with past peaks. However, the challenge for businesses is that spikes in attacks are unpredictable and the kidnap risk can change between trips, even for companies operating frequently in the region. The business need to transit this area is significant, and the daily average of 2,000-2,500 ships present in the Gulf of Guinea means that these conditions will continue to pose a significant challenge for the industry as a whole.
Virtual kidnapping becomes a global threat
Virtual kidnapping continues to evolve from a low-capability crime conducted predominantly out of prisons in Mexico and Brazil to a widespread problem across the Americas, Europe and Asia-Pacific. In 2019, Control Risks recorded significant numbers of international scams run by criminal groups across Latin America and Asia-Pacific that targeted Spanish- and Mandarin-speaking populations across the globe. However, in a new development, domestic criminal groups in North America and Europe have adopted their own versions of the crime. In August 2019, the Spanish National Police issued a warning following a spike in virtual kidnaps orchestrated by Spanish criminals. In the US, the Federal Bureau of Investigation warned that a growing number of cases were perpetrated by domestic groups.
What is virtual kidnapping? An extortionist will call a victim and try to convince them that a loved one has been kidnapped or detained. They will put pressure on the victim to make a payment or a series of payments to the caller immediately. There are many forms of the scam, some of which use highly sophisticated surveillance or intelligence-gathering to build a profile of the victim. However, at its most basic virtual kidnapping only requires access to a telephone and a phone book, contributing to its growing adoption rate by criminals around the world. The most effective corporate response to this crime is through educational training such as e-learning courses that equip employees and their families with the knowledge and strategies required to cope if they are targeted in this way.
Technological advances are helping extortionists to develop more complex forms of the crime, and scammers will continue to exploit new communications methods as they emerge. For example, the rise in ID spoofing technologies allows calls from extortionists to show up as official numbers or trusted contacts from victims’ phonebooks. This adds credibility to the scam and makes it harder for victims to screen calls from unknown or international numbers. US extortionists used the technology to successfully target two sisters in Los Angeles in June 2019. In October 2019, the Vancouver Police Department in Canada issued a statement after Mandarin-speaking victims of virtual kidnaps in the city reported calls from numbers registered with Chinese police departments or consulates. A similar series of scams was reported in Canberra, Australia in August 2019 targeting Chinese nationals.
Spike in ransomware cases boosts number of cryptocurrency demands
Cyber extortionists targeted a wide range of sectors in 2019, with high-profile ransomware attacks on governments, businesses, universities and hospitals. More than 500 schools and almost 70 government organisations in the US alone were hit by ransomware attacks throughout the year. During just one week in June 2019, two Florida cities paid a combined USD 1.06m in Bitcoin to extortionists following ransomware attacks. A particularly concerning trend is the targeting of the IT and cloud computing sector, where cyber extortionists are infecting larger numbers of victims through initially gaining access to cloud computing providers. While the the largest providers have stringent security measures in place that are currently an effective deterrent, many smaller providers who operate in specific markets or sectors have proven vulnerable to attacks.
We have observed sharp increases in ransomware demands in 2019 with perpetrators in some cases asking for the equivalent of multiple millions of dollars. In November 2019, Mexico’s state-owned oil company Pemex was targeted by attackers who demanded 565 Bitcoin (equivalent to USD 4.9m at the time) in exchange for a decryption key. Pemex reported that it had managed to contain the problem and restore its systems.
What is ransomware? In a ransomware attack, cyber extortionists encrypt an organisation’s data and demand a payment for a decryption key. Backup data can also be compromised in an attack, and it can be hard to determine the extent of the damage and the likelihood of restoring an organisation’s systems without a decryption key at the initial stages of an incident. Perpetrators almost exclusively demand ransoms in the cryptocurrency Bitcoin, and businesses often need time to understand the process of setting up a Bitcoin wallet as well as the business ramifications of spending an extended period without access to their systems.
High incident numbers in 2019 reverse a lull in ransomware cases in 2018, when it appeared that cyber criminals were moving on from this type of campaign after users became better at combating the crime. Instead, attacks have become more sophisticated and are increasingly targeted towards organisations that incur large financial losses if they do not have access to their systems. Ransomware groups are now applying nation state-level tactics in order to do maximum damage to these companies when their ransomware encrypts the victim’s system. A growing number of ransomware actors have also begun to exfiltrate data, rather than simply blocking access to it. They then threaten to release the information if they are not paid, adding the risk of legal costs if data is leaked into the public domain. This creates a high-pressure and complicated negotiation process for crisis management teams.
Despite the boom in cryptocurrency demands in ransomware cases, Bitcoin demands are not the norm in all other forms of extortion or kidnapping. Most potential victims are likely to be unfamiliar with cryptocurrencies, including the technical steps needed to set up wallets and successfully withdraw and transfer funds. Perpetrators who make demands in Bitcoin must therefore be willing to wait while a victim – whether they are an individual or a business – works out how to complete the transaction. In ransomware cases, the organisation bears the business disruption costs of an extended negotiation. The same is not the case in low-capability virtual kidnapping, which relies on creating pressure on the victim to pay quickly before they discover that their loved one is safe. In these forms of extortive crime, the use of mobile (cellular) payment applications for smartphones has been more widely adopted than payments in cryptocurrencies. These apps make it easier for perpetrators to convince victims to make multiple transfers while staying on the line to the extortionist, which is essential to the success of many low-level scams.
In the world’s kidnapping hotspots, most financially motivated kidnappers lack the sophisticated technological capabilities needed to exploit the emergence of cryptocurrencies. In these cases, cash payments remain the norm, sometimes with the addition of high-value items such as jewellery or vehicles.
Global trends largely hold steady
Beyond regional shifts stemming from industry-specific crime, the fundamental characteristics of the global kidnap environment experienced little change between 2018 and 2019:
- A two percentage-point increase in the Middle East and North Africa was driven by a rise in kidnaps in Iraq following widespread protests that created a permissive environment for criminal and armed groups alike. The Americas remained the region where we recorded the largest number of kidnaps-for-ransom, accounting for 38% of total incidents in 2019, up one percentage point from 2018. Meanwhile, a decline in the percentage of global incidents occurring in sub-Saharan Africa and the Asia Pacific did not imply a reduction in kidnaps in real terms, as hotspots such as India, Nigeria and Pakistan continued to record high numbers of incidents.
- Driven by the cyclical demands of the criminal kidnapper business model (usually a high turnover of short-duration kidnaps), the proportion of incidents resolved in under a week remained at 80% of all incidents recorded by Control Risks. As ever, Control Risks recorded several long-running, outlier cases, with the longest period of captivity concluded in 2019 being 1,199 days.
- Local nationals continued to account for the majority of kidnap victims in 2019, accounting for 93% of victims in incidents worldwide, the same as in 2018. Foreign nationals remain potentially more lucrative victims for kidnappers. However, their smaller footprint in kidnapping hotspots, combined with their more reliable adoption of security precautions, appears to have largely dissuaded many mid- or low-capability financially motivated kidnappers.
Spikes in kidnap in the Gulf of Guinea remain frequent and unpredictable. Even companies that operate in the region frequently should continuously monitor the situation to accurately assess the threat to their operations. Virtual kidnapping will continue to spread into new markets. It is no longer effective to concentrate training and information campaigns solely on employees who live in or travel to traditional hotspots. Instead, businesses will need to think about how they can best equip a wider range of staff members and their families with the knowledge and capabilities needed to respond if they are targeted by extortionists in this way. Despite the widespread adoption of cryptocurrency demands by ransomware actors in 2019, the vast majority of ransom demands will continue to be in cash in global kidnapping hotspots. Nonetheless, companies should integrate an understanding of cryptocurrency negotiations into their crisis management planning to avoid delays in decision-making and logistics if they fall victim to a ransomware attack.