Over the decades that Control Risks has been helping our clients to resolve their most complex challenges and guiding them through their most acute crises, the world has become increasingly interconnected and the risk landscape has evolved. We have seen kinetic wars fought on the battlefield turn into virtual wars on networks; espionage move from back alleys to hidden chat rooms; and protesters exchange their placards for web defacement.
Perhaps one of the starkest evolutions in the risk landscape has been the nature of extortion. In recent years, cyber-enabled extortion has become a highly popular and public technique. But even as the techniques for extortion change, many of the fundamentals for handling them endure. Even so, the past 12 months in particular have brought a marked rise in the sophistication and proliferation of cyber extortion tools, in turn markedly lowering the barriers to entry and blurring the ability to assess the threat.
Assessing the threat of cyber extortion is, like all threats, based on judging the attacker’s capability and intent. A threat actor must have both the means and the motivation. Without a motive there is no target. Without the capability there is no victim. But the situation we face now means that this corner of the cyber threat landscape is murkier than ever.
Increasing capability
Until recently the attacker’s capability was generally commensurate with the amount of resources they and their organization had access to. The more time, money, and skilled manpower the attackers had at their disposal, the more sophisticated their ability to attack their target. Recently however, sophisticated malware based on potent stockpiled exploits that at one time were only available to nation states became available on dark web market places and in the open source.
In May 2017, the group called the Shadow Brokers leaked a gigabyte worth of the US National Security Agency's weaponised software exploits, which made these tools available in the open source. This significantly levelled the playing field, and shortly thereafter led to the WannaCry attack, which leveraged the EternalBlue exploit included in the leak. The world watched in dismay as the WannaCry campaign shut down companies, hospitals, and government agencies worldwide. Although the relatively low bitcoin ransom demand of approximately 300 USD was similar to previous commodity ransomware attacks, the impact was significantly greater as almost 300,000 companies in 150 countries were affected. The UK’s National Health Service was a particularly dire example of how nasty ransomware can be, as its impact in some cases directly threatened the life of patients.
Conversely, as the capability of commodity criminals increases, highly advanced and professional adversaries such as nation state military and intelligence units have changed their tactics to further obscure attribution to their attacks. Although not entirely new, as the crowd of capable attackers has grown, it is now far easier for nation states to disguise their attacks as criminal campaigns to hide their true origin.
As a result these trends make it far more difficult to decide things like: “Does it make sense that the extortion threat is legitimate?” And further: “Based on their demands, what does the attacker really want and why was my organization the target?”
Mixed intent
The majority of cyber extortionists are motivated by one or more of four things: money, ego, revenge, and politics. Although traditionally the majority of cyber extortionists have been motivated by financial gain, recently we have seen advanced threat actors also use multi-tooled ransomware for political means.
Making money is still by far the most prevalent intent in cyber extortion cases. Cybercrime remains a functioning economy. Mirroring legal economies, dark web market places exist to purchase malware, hacking tools, and stolen data; to rent anonymous infrastructure; and to hire criminal services. There is market competition between criminal groups and some campaigns offer discounts or instalment payment plans. For those simply out to make money, the same principles of business economics apply when trying to make it in the market—they are motivated to concentrate their efforts on what makes the most money for the least work.
However, for nation states, although espionage remains the most prominent motive, some military and intelligence units have now begun to use ransomware-like malware families to both commit and disguise politically-motivated attacks. For example, the 2017 NotPetya outbreak impacted hundreds of companies in Europe, but is believed to have originated as a targeted attack by groups working on behalf of the Russian government to damage Ukrainian critical infrastructure—an attack that eventually spread far beyond the target for the breach and the country’s borders.
This represents a notable escalation in the motive of some nation states to truly combine kinetic and network warfare. Further, hidden behind a thin cloak of criminality it will be increasingly hard for companies to know who they’ve been targeted by.
Hiding behind the curtain
As we continue to watch motivations and capabilities blur, we have also seen a fundamental shift in extortion as a result of increased anonymity. Forty years ago extortionists had to be heavily invested in their grievance, such as on-going drug wars and socio-political conflicts that at one time made Colombia a hot bed for kidnap and ransom. In other cases, extortionists were left to less sophisticated means of requesting and collecting their ransom which often led to their capture. Nowadays, the internet allows this transaction to be anonymous and the targeting to be indiscriminate. This has resulted in a significant increase in extortion cases across all industry sectors - including media and entertainment, health care, service providers, and manufacturers – including cyber extortion that does not utilise ransomware. In these cases, companies receive emails that include threats of distributed denial of service attacks by groups such as the Armada Collective that can take down your online platforms and networked devices, or the threat of leaking data that the extortionists may (or may not) have compromised such as the Netflix data leak in 2017.
Adapting to the current threat landscape
Unfortunately, cyber extortion is now a common occurrence across sectors around the world and will continue to happen as long as it works.
Furthermore, in our increasingly interconnected world, we have seen it evolve at an accelerating pace over the past two years, even ticking up in just the last six months. As petty criminals hide behind the curtain of the world wide web and bitcoin wallets and state actors can hold a country hostage with malware, we must think about extortion within this new context and understand the risk that indiscriminate attacks can affect us all. Therefore, the way we prepare for and respond to these attacks must account for long standing best practices and new mitigation strategies.