The extortion evolution

A recent Wall Street Journal piece outlined the insidious evolution that took place during this summer’s ransomware attacks.  What began with simple bitcoin requests quickly gave way to the morphing Petya threat, then to permanently encrypted data that made CIOs WannaCry. 

Prior to the spring, a corporate officer facing a crypto-ransom demand was reasonably confident their data would be returned if the ransom was paid.  As Labor Day approached however, honor among data thieves seems to have evaporated.

Extortion is a wholly different criminal enterprise.  Ransom attacks are predicated on a stolen item’s perceived value — naked starlet pictures, confidential legal documents, or important customer data.  These have values based on another’s willingness to purchase them.  Paying the ransom is supposed to ensure those other parties don’t get that opportunity.

In contrast, extortion is very personal, focused on the threat to a specific individual if they don’t pay.  The cliché of Mafia capos extorting shopkeepers was based on the threat of violence.  The prey must not only have the ability to pay – they must also have a need for secrecy.  They must be irreparably damaged (humiliated, shunned, or disgraced) if the threat becomes public.

In short, criminals ransom something, but they extort someone.

This summer’s victims

It’s not simply the payment demand — there is also the threat of a continued trickling of sensitive data over time that ups this ante.  HBO has dealt with this threat all summer, as hackers dribbled out Game of Thrones scripts, as well as personal data on the show’s actors.  And it’s not just the big brand names that are at risk – so are their digital supply chain vendors.

Netflix uses boutique audio engineering lab Larson Studios to perfect the sound for its award-winning series “Orange is the New Black.”  In late 2016 Larson was hit by a ransom attack demanding $50,000.  It was well into 2017 before the company realized the initial text message and email threats were real and their systems had been compromised.  To protect their customer, (Netflix), Larson paid the ransom, but the shows were leaked anyway.

The Larson attack changes the corporate calculus in important ways.  Big companies make investments predicated on the expectation of a reasonable rate of return for a given risk.  They begrudgingly opt to pay a blackmailer based on the practical expectation their stolen assets will be returned.  A known present value (ransom) for an uncertain future value, versus an uncertain return (extortion) for a known present value.

This is true regardless of the asset at risk – digital products, physical merchandise, or even a kidnapped executive.  The Larson incident introduces doubt to these estimations; a risk that the firms will doubly lose — their asset and their ransom payment – making it less likely they will pay up in the future.  Unfortunately, this means criminal elements will be less likely to use general ransomware and increasingly turn to very targeted extortion attacks.

Janus

In Greek mythology, Janus was the two-faced god of war & peace, capable of looking both into the past and the future.  The cybersecurity version of this duality is coercion and extortion — use elicitative coercion tactics through spearphishing to extort money from victims.  The pair make for significant windfalls for criminals by focusing only on those most likely to simply roll over and pay.  This also avoids accidentally picking a personality type who decides to turn the tables on them — a cyber sort of Mel Gibson’s character in Ransom.

Social media makes selecting the best target – one who is both susceptible and has the resources to pay — an increasingly simple exercise.  In 2010 Facebook ran experiments on users to determine voter turn-out, and followed up in 2014 with experiments on manipulating emotions.  With artificial intelligence, this ability to remotely analyze virtually anyone is growing in popularity.

• Algorithms can determine sexual orientation by scanning pictures of faces
• Ashley Madison determined location & probability for cheating
• Admiral Insurance tried to analyze Facebook posts to determine teenage driver rates
• Instagram can predict depression sooner than a physician

Mind of the adversary

A recent article on the psychology of snipers outlined the differences in targeting an individual versus a faceless population, and what that entails.  Pulling a firearm’s trigger and ending a life is obviously very different from targeting a person for extortion — but the successes of snipers to turn major conflicts speaks for itself.  Why wouldn’t criminal elements copy this success — cyber weapons can certainly reach longer distance than any projectile weapon. 

Think about all the major personality tests — the MBTI, the Firo-B, and the Minnesota Personality Exam.  These can all be conducted remotely by automated tools evaluating content from Facebook, LinkedIn, Twitter and Instagram.  Rather than an army of potential targets inside a big company, criminals can eliminate 90% or more of the employees most likely to report an extortion attempt.

Criminals can now know the 10% of employees to target in a company — the one most likely to quietly pay a ransom and quickly scurry for cover.  If that doesn’t scare a CSO, nothing will.