Digital Extortion: A Forward-looking View

In 2017, we saw digital extortion increasingly become cybercriminals’ first and foremost money-making modus operandi. It’s mostly due to ransomware — cybercriminals’ currently most popular weapon of choice, helping them in extorting cash from users all over the world and in hitting big businesses and organizations.

By infecting business-critical systems through their shotgun-style ransomware attacks and thus crippling enterprise day-to-day operations, cybercriminals managed to force big companies to bend to their will. Digital extortion has become the most successful moneymaking venture for cybercriminals, and the most effective in terms of the scale of their victims. Big or small, everyone gets hit, and everyone has to pay.

As cybercriminals find online blackmail and extortion lucrative, what predictions about digital extortion in 2018 can we make?

Digital Extortion in 2018 and Beyond

The future of digital extortion presents a risk-filled outlook, especially for enterprises and organizations. As we’ve stated in our 2018 Security Predictions, cybercriminals will continue to go after big targets by making ransomware designed to really wreak havoc, especially in office settings. This inference is based on the similarities among the biggest ransomware attacks of last year, where the ransomware itself was coded to search for office and server database files.

This doesn’t mean users will be left off the hook, however, as we have no doubt that cybercriminals will continue to use a “spray-and-pray” approach to ransomware: They’ll keep sending out ransomware en masse, hoping that one of them will infect a user system that’s tied to an office network. Users will still bear the brunt of these attacks.

We also believe that it’s not just ransomware that will be used for digital extortion, nor will database files, servers, and systems be the only assets which will be attacked. We expect digital extortion to expand beyond that, going after not only companies’ business-critical documents but also manufacturing plants and assembly-line robots. These plants and machines would inevitably have legacy systems and diverse hardware that would be difficult, if not impossible, to upgrade or patch, making them prime targets for attacks that exploit old vulnerabilities.

We also see attacker groups using digital smear campaigns and black propaganda against celebrities and companies, especially those attempting to promote an upcoming product or movie. In this day and age where customer feedback and social media reception are key to success, attackers may resort to abusing review sites and social media to bring down the image of companies of celebrities and companies — and to stop only once the victims pay a set ransom.

Finally, we believe that digital extortion will continue to feature phishing attacks and social engineering techniques to infect the computers and systems of unsuspecting company officers and executives with ransomware, or to establish a backdoor for data theft.

For more insights and predictions about how digital extortion figures into the threat landscape this year, as well as further discussions on the possible direction such attacks will take, you can read our latest research paper on the subject, titled “The Future of Digital Extortion.” In it we also discuss what kind of mindset company executives and users need when it comes to digital extortion, in order to protect themselves against becoming victims.

Of course, ransomware will continue to play a key role in digital extortion. The biggest digital extortion cases last year prove this.

WannaCry (May 2017)

The WannaCry ransomware outbreak was the biggest cybercrime event in 2017. This malware burst into the scene early in the year’s second quarter, abusing a then-recently discovered Windows Server Message Block (SMB) vulnerability. The vulnerability exploitation not only allowed it to infiltrate systems and infect critical files within them, but also to scan for SMB shares in order to spread across entire networks. As if this wasn’t nightmarish enough for businesses, WannaCry variants were also written to specifically encrypt business-related files, such as databases and archives. This meant that any company hit would definitely have to pay, or cease operations indefinitely.

EREBUS (June 2017)

Soon after WannaCry hit, EREBUS made its entrance by managing to infiltrate the web servers of the South Korean web hosting company NAYANA. The infection managed to spread to 153 Linux servers as well as 3,400 business websites that NAYANA hosted, effectively giving the company no other alternative but to pay the ransom. The attackers originally asked for 550 bitcoins (US$1.62 million as of June 2017) in total for ransom, but NAYANA was able to negotiate for a smaller sum of 397.6 bitcoins. This still amounted to US$1.01 million, but to be paid in installments.

Two things were alarming about EREBUS. First, it was ostensibly a Linux version of a ransomware that was first seen around September 2016. Second, like WannaCry, it was also designed to search for and encrypt database files, which means it was geared towards causing the most damage to a business or corporate setting. Combine these with how it may have used specific Linux vulnerabilities and that it uses multiple encryption methods to scramble files and keys, and you get a ransomware that’s definitely one to watch out for.

PETYA (June 2017)

Not long after EREBUS, a new variant of PETYA came along, one that targeted users in Europe en masse. This particular variant was detected to use the EternalBlue exploit — the same exploit used by WannaCry to propagate across business networks.

One after another, large enterprises reported that they were indeed hit by this PETYA variant, with one company declaring that they stood to lose up to US$300 million in damages alone. Upon further analysis it was also discovered that PETYA had numerous advanced routines that had to do with information extraction (the usage of a customized Mimikatz) as well as modifying the infected system’s MBR before encrypting the files, to make decryption harder. A few months later, PETYA resurfaced with a new variant named Bad Rabbit, which went on to cripple major transportation architecture all over Russia and Ukraine.

It’s worth noting here that like WannaCry and EREBUS, the PETYA variant that surfaced in 2017 was also designed to target enterprises. Besides using EternalBlue to propagate across office networks, it was also written to encrypt files with extensions that are common to enterprise and office environments. It appears that cybercriminals have begun to create ransomware that, while still delivered widely, will impact businesses greatly.

As risky as the digital extortion-filled future seems to be, there are still a number of ways users and enterprises can secure and protect devices and systems against attacks such as ransomware, black propaganda campaigns, and data theft. Security solutions are mandatory to prevent the usual infection methods from gaining access to systems and networks, while the regular and faithful updating and patching of machines and software can help greatly against vulnerability exploitation.

Companies must also invest in proper employee and management education against both typical and atypical digital extortion attempts, especially when it comes to phishing and social engineering. Upcoming data protection laws such as the EU’s General Data Protection Regulation (GDPR) should also be prepared for and complied with, as this will have a net effect of companies worldwide becoming more secure with customer data — and with their own as well.