Although the scourge of ransomware has become synonymous with online extortion over the past several years, things aren’t entirely black and white in this arena of cybercrime. Amidst the noise of ubiquitous ransomware incursions, people started forgetting that Internet-borne blackmail isn’t restricted to file-encrypting malware alone.
In fact, perpetrators have plenty of other resources on their hands to coerce computers users into coughing up money. Furthermore, the rise of Bitcoin and online anonymity tools like Tor has a flip side as it allows threat actors to hide their identity and thus stay on the loose.
Once a hacker gets hold of an organization’s or end user’s proprietary data, there are numerous ways to take advantage of it and keep the victim on the hook. As opposed to “active” extortion via ransomware that becomes less profitable, “passive” tactics mainly boil down to not doing something. For example, victims can be instructed to pay for non-disclosure of their sensitive information obtained by malicious means, or for stopping an ongoing distributed denial of service (DDoS) attack. Peruse the cases below to get the big picture of how online extortionists act these days.
Extortion over copyrighted material – the HBO blackmail incident
A group of hackers identifying themselves as ‘Mr. Smith’ breached the servers of HBO, a US-based television network, claiming to have stolen 1.5 terabytes of unaired videos and scripts. The compromise took place in early August 2017. The perpetrators demanded a whopping $6 million worth of Bitcoin for not releasing the proprietary content.
When the company rejected the ransom demand, the felons leaked episode 4 of Game of Thrones season 7 along with several unreleased episodes of two other shows, just to demonstrate they were serious about their threats. The first dump was followed by another one a week later, which included more scripts and email correspondence of HBO executives. Even a $250,000 ransom payment camouflaged as a bug bounty reward didn’t quench the attackers’ money thirst, so they leaked more unaired content on August 13. To be continued, obviously…
This scam revolves around academic research and intellectual property. Anonymous ne’er-do-wells contact doctoral students who recently defended their PhD thesis. Passing themselves off as representatives of some inexistent fund, the scammers claim to have found plagiarism in their thesis. Then, they instruct the scientist to pay thousands of dollars so that educational authorities won’t be informed of the purported foul play. The plagiarism racket is a complete bluff aimed at gullible researchers. This particular extortion vector is the most widespread in Russia.
Ransom DDoS attacks
Extortion and DDoS attacks are now being combined more frequently than ever before. Attackers contact organizations with instructions to pay up in order to prevent a DDoS attack against their IT infrastructure. To prove that the threats are real, crooks may first launch a sample network stress attack that knocks a target company’s website offline for a while. The notorious DDoS-for-Bitcoin onslaught fired at the ProtonMail service in 2015 was one of the early wakeup calls regarding this extortion vector.
Online dating extortion
Not only do online dating sites help lonely hearts meet, but they can also get people in a major rip-off predicament. When chatting with someone on these resources, you never know their true intensions. A potential match may well turn out to be a scammer. These ill-disposed individuals first exchange appealing messages with the victim in order to build trust. As the conversation gets more intimate, the crook will request some sensitive photos. What happens next is, they will post the embarrassing information, including the victim’s name and pictures, on some website or threaten to send photos to victim’s friends. To save their reputation, a lot of people end up coughing up the ransom. Unfortunately, the fraudsters hardly ever carry through with their promises, so the incriminating data remains online regardless.
Sextortion is similar to online dating extortion described above, but it can additionally involve hacking as an instrument for obtaining other users’ sensitive data. Crooks can leverage malware or phishing tricks to hack into one’s computer or smartphone, steal the victim’s personal information and hold it for ransom.
Imagine a scenario where someone pretending to be a murderer sends you an email demanding money for not harming you or a family member. The perpetrator will typically state that some unnamed foe of yours has paid them to do it, but nothing bad will happen if you beat their price. This is a widespread scam referred to as “hitman” extortion. To be more persuasive, the crook will include details about the victim harvested from their social network account, personal blog or other publicly available online resources. A payment deadline is another hallmark sign of this fraud that puts additional pressure on the target.
Database ransom attacks
Improperly protected or misconfigured online-accessible databases are low-hanging fruit for cybercriminals. Weak authentication used for MongoDB, Hadoop, ElasticSearch, and MySQL server installs has enabled threat actors to hijack thousands of these databases in 2017. By guessing or brute-forcing the root password, hackers access a server, export its content and leave a ransom note demanding Bitcoins for returning the data. Note that these attacks don’t involve any malware and instead rely on the negligence of webmasters who use default server access credentials.
Most of these scams exploit human vulnerabilities by means of social engineering. To stay on the safe side, just be a little bit paranoid when online. Never disclose potentially compromising information when chatting with people you don’t know. Refrain from posting too much sensitive data on social media. Also, be sure to use a reliable antimalware suite. The Internet is a hostile place, so act accordingly.
Guest article written by: David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Contact: Google+, Twitter, Facebook, LinkedIn.