Fending off cyber extortion can be difficult

ransom note
Jamie Eckle/IDG

A basic computer setup connected to the internet grants a malicious hacker the power to steal sensitive information, affect a company’s stock value, and hold corporations to a ransom with the click of a mouse. The advent of anonymizing technologies such as the Tor network and virtual cryptocurrencies like Bitcoin are taken advantage of by cybercriminals to operate in clandestine ways.

The reality is this: the wired infrastructure we rely upon where everything from a nuclear reactor to a Wall Street firm can be hacked into merely for being connected to the internet has opened a whole new world of possibilities to criminals operating on the Internet. A ransom demand or a threat over an email was the natural step in the evolution of criminals on the Internet operating in anonymity.

A notable example of a cyber extortion in the past year is the much-publicized Ashley Madison data breach, an incident that will forever remain in infamy – particularly due to the sensitive data obtained by hackers. Threatening a company with blackmail following a breach of data of over 30 million customers whose personal details and private secrets were obtained from breached servers does make for substantially rewarding extortion opportunity.

The hacking group behind the breach demanded that Ashley Madison and several other sister websites be taken down. Ashley Madison’s management stood firm, refuting claims of the breach. As it turned out, the hacker group carried out their threat with multiple data dumps to reveal 37 million Ashley Madison customers’ personal, financial and private details. The entire ordeal led to Noel Biderman, the CEO of parent company Avid Life, to resign a week after the data leak.

Individuals who indulged in infidelity through Ashley Madison were also targeted by not just the original hackers behind the breach, the Impact Team, but also by other predatory cybercriminals. According to anecdotal reports, the Impact Team contacted high net worth individuals, high-ranking officials, and others with a reputation to uphold and offered to have their names removed before the list goes public. The price of removal? Up to $100,000. Other predatory cybercriminals saw an opportunity for extortion once the full list of members was released and threatened to release the information to family and friends of victims and destroying their marriages and reputation if payment in Bitcoin is not received in three days.

While Ashley Madison blamed the Impact Team Hackers for everything, the truth is that protecting data is a corporate responsibility and Ashley Madison simply did not take sufficient safety measures to protect the highly sensitive data of its clients. This can all be seen in the leaked documents and source code. This type of incident is highly damaging and can potentially even put a smaller company out of business.  

Ashley Madison was not alone. The Sony Corporation has seen its fair share of unfortunate incidents in the recent times. Various hacking groups have knocked its popular PlayStation Network offline multiple times. While incidents affecting the company’s gaming network are well documented and highly unpleasant, the world had not witnessed a cybersecurity incident to the scale of the Sony Pictures hack. The company was the victim of a cyber extortion plot that was profoundly damaging to the studio arm of Sony and the brand itself. Similarly, to Ashley Madison, the corporation itself was being held hostage and asked to succumb to extreme demands by the hackers.

Most damaging of all was Sony Pictures’ corporate communications laid out as dirty laundry in the media. The Sony breach also affected its own employees when financial and accounting systems were breached, revealing employment and salary details through multiple leaks. The hack was so significant that Sony even asked for an extension to prepare its third-quarter earnings report that was not filed by the due date.

The entire incident had massive media coverage and Sony had to withstand the endless barrage of negative publicity, compounded by the fact that they gave in to the extortion demands to cancel the wide-release of “the Interview.” Even President Obama weighed in during the aftermath of the hack and extortion plot while the FBI prematurely blamed North Korean state-sponsored hackers for being the perpetrators behind the breach.

While these incidents serve as good reminders that even the biggest companies are vulnerable to targeted attacks, every corporation, small or large is vulnerable to such attacks. SMBs are arguably at an even higher risk. For a number of reasons, there may not be the required investment or incentive to implement adequate security measures. It’s important to note that a significant number of cybersecurity incidents go unreported.

If breached and blackmailed, most companies today see paying the ransom as the quick, although expensive, way to deal with the issue of cyber extortion. Even the FBI itself advises companies to pay the ransom in most cases. The only way to prevent cyber extortion is a good cybersecurity posture and preventive measures in place. A proper incident response plan needs to be in place as well – it can help prevent a disaster.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)