Door David Sancho, Senior Antivirus Researcher, Trend Micro
Smart cybercriminals rely on rational decisions
Cybercriminals today are going all in with digital extortion. Their business model isn’t exactly new. “I want you to do this, or I’ll break your legs”, is easily translated to “I want you to do this, because I have your data.” Extortion has always existed and it’s a brilliant business model, albeit an unethical one. Therefore, I’m not at all surprised by the popularity of the digital variant today. You only have to look at the massive succes of ransomware to see wat I mean.
Blackmail versus extortion
In the digital world, there is a big difference between extortion and blackmail, just like in the physical world. In both instances, blackmail just doesn’t work very well except in very unique circumstances.
A criminal trying to blackmail someone will steal sensitive company data and ask a ransom in exchange. Telco Bell Canada was a victim of such an attempt at digital blackmail. Criminals stole sensitive user data and threatened to release it unless Bell was willing to meet their demands. In this instance, the victim has to trust the criminal, who by definition isn’t trustworthy. There is nothing preventing blackmailers to release the data they stole, even after you pay the ransom. Chances are they’ll just ask for more after an initial payment. When looking at the options rationally, the only logical conclusion is to consider the stolen data to be lost. Don’t pay a dime, deal with the bad publicity in an honest and transparent way, and move on.
I do see cybercriminals trying the blackmail approach, usually to little avail. Blackmail only works when the victim isn’t responding rationally. Teenagers are a prime example of a demographic that might pay (and keep paying) their blackmailer, for example to prevent someone from leaking embarrassing nude pictures.
Some cybercriminals seem to persist in their attempts, despite the limited payoff. Another popular blackmail tactic consists of targeting the victim’s website with a DDoS-attack. When the attack is in full effect and their website is down, they contact the owner and promise to stop in exchange for a fee. Once again, there is no guarantee the criminals will actually keep their promise after payment. Some victims might pay once or twice, but sooner or later they all realize the criminal will just keep asking for money.
Last year, Australian singer Sia became the victim of attempted blackmail. Criminals threatened to release nude pictures of her unless she agreed to pay a ransom. She courageously decided to release the pictures herself, before the hackers could. I realize that’s a very difficult thing to do, but it’s the best possible plan of action given the circumstances.
One time extortion: the best option
Any cybercriminal wanting to get his victims to pay him, must make sure their target doesn’t need to trust them too much. That’s precisely why ransomware is so successful. In the case of ransomware, your data is taken hostage on your own machine. After payment of the requested ransom, the victim receives a key that will enable them to decrypt his precious data. The criminal only needs to keep their word once and has no incentive not to do so, since there is no way any victim would be willing to pay them a second time.
I expect similar attacks to increase in frequency as well as sophistication in the near future. Imagine a hacker gaining access to any organization and modifying business processes in order to sabotage production. The executive board will not hesitate for long before paying if it means minimizing the loss. Once again, the victim gets the guarantee they’ll be able to fix the problem themselves after payment.
More devices are getting an internet connection each day. This means poissibilities for extortion are increasing as well. A company might not be willing to pay a ransom for the release of a pc (they might as well reset the device and restore a back-up), but they will most definitely reach for their checkbook the moment an automated production robot on an assembly line gets taken over. Or imagine driving your smart car to an important meeting, only for it to come to a complete standstill. A reasonable request for ransom money suddenly seems like a decent solution.
The sad truth is that extortion has always been a decent business model, and the digital age has only given the would-be extortionist more tools. If you are the victim of a well executed extortion attack, do look at your options before considering payment. Maybe you can recover from a ransomware attack using back-ups, even if they aren’t completely up to date. Or maybe your antivirus provider has tools to decrypt your data, which is entirely possible if you’re hit with an older strain of the malware. Some attacks might not be as foolproof as they first appear. By paying the ransom, you’re supporting the criminal’s business plan. Giving in to their demands must always be your very last option.