Protecting Your Organization from Ransomware and Cyber Extortion

Protecting Your Organization from Ransomware and Cyber Extortion

Protecting Your Organization from Ransomware and Cyber Extortion

By Fabio Lior Rahamim

May 20, 2021

Cyber extortion is when an individual or group obtains access to an individual’s systems or an organization’s systems using various malware techniques and encrypts their files, blocking access – or threatening to distribute sensitive organization, employee or customer data. The attacker demands payment to stop the attack and release the encrypted data.

In contrast to other kinds of cyber security threats, where attackers look for information such as credit card details that can be sold for profit, a cyber extortionist holds data for ransom. Let’s have a look at how this happens and what you can do to protect your organization from the threat of cyber extortion.

How Ransomware is Used for Cyber Extortion

The most common approach used by cyber criminals to infect and penetrate an organization involves ransomware, a malicious script or a code that infects computers and encrypts important data. Ransomware attacks were in the headlines again this month because of an attack on Colonial Pipeline, an American operator of one of the country’s largest pipelines, which carries refined gasoline and jet fuel. Colonial halted systems for its 5,500 miles of pipeline due to the attack.

A ransomware attack starts when an employee clicks on a link and downloads a program that provides access to the victim’s computer. The victim’s files may be encrypted, or the attack may simply lock the victim out of the device or network. The cyber criminal then demands a ransom payment, and the victim has to pay up to regain access to the files and ensure they are not shared online.

But ransomware can also use a variety of techniques to exfiltrate data. Earlier this year, the well-known REvil Ransomware was seen encrypting victims’ networks within four hours after the initial intrusion made by the IcedID banking trojan and had leaked data from multiple healthcare companies. The REvil group is increasingly using Remote Desktop Protocol (RDP) for initial intrusion and stealing credentials to bypass controls such as Endpoint Detection and Response (EDR) solutions

CP_CP-C01-Blog61-ProtectingYourOrganizationfromRansomwareandCyberExtortion-202105

One of the most famous ransomware attacks of all time is WannaCry, estimated to have caused a financial loss of $4 billion worldwide. WannaCry first locks the victims out of their systems and then demands a ransom payment in Bitcoin. 

As with other types of cyber security threats, ransomware attacks continue to become more sophisticated over time. New types of ransomware attacks include double extortion, a scenario in which a victim first pays an initial ransom to regain access to sensitive data. Several months later, the victim is then manipulated into paying a second ransom in exchange for a guarantee from the same cyber criminal not to leak the sensitive files online.

CP_CP-C02-Blog61-ProtectingYourOrganizationfromRansomwareandCyberExtortion-202105

Distributed Denial of Service (DDoS) Attacks

In addition to ransomware, another common way of conducting cyber extortion is through a Distributed Denial of Services (DDoS) attack: A cyber criminal threatens an organization and states that if the required ransom payment is not received, the organization’s systems will fail. The largest ever DDoS attack is known as the AWS Attack, a 2.3 TBps DDoS attack that was mitigated by the AWS Shield service in February 2020.

A DDoS attack is particularly damaging if it is timed to coincide with an important event run by the organization – for example, if it takes place on the day an organization is scheduled to run a large-scale conference. The organization’s website goes down, participants cannot register for the event, and the organization has to decide whether to cancel the event and incur the associated costs (and legal challenges), or pay the ransom.

WhatsApp Attacks

With WhatsApp, an attack might work slightly differently. WhatsApp is crucial for many organizations – for example, in companies that rely on it for internal communications and customer service. 

In a WhatsApp attack, a cyber criminal might break into an organization’s WhatsApp account and demand ransom payment. The cyber criminal might block access to the WhatsApp account and could even threaten to send out messages warning customers against using the organization’s services. 

Another type of attack on WhatsApp involves a phishing attack or scam in which victims are asked to provide a personal code and then locked out of the account – and then they are asked for money to regain access.

Leveraging Emotional Manipulation

A third approach to cyber extortion involves emotional manipulation using emails, texts, or messages on social media. 

A common scenario, unfortunately, involves sextortion – where a cyber criminal claims to possess compromising pictures of a victim and demands payment in exchange for not distributing them. Since it is common for people to expose themselves online, the ruse frequently works; victims believe the cyber security threats and pay whatever ransom is demanded to avoid potential embarrassment. 

To strengthen the effect of their threats, cyber criminals frequently obtain victims’ passwords and include them as part of the demand for ransom payment – making it feel more likely that the threat is real. (Note: You can check online whether your password has been compromised on this site: https://haveibeenpwned.com/

Note that as deepfakes become more widespread, other types of emotionally manipulative attacks are likely to become common. For example, cyber criminals might create videos in which victims appear to say things that they never actually said. This type of “evidence” is frightening because it is very hard to disprove, and it puts a person’s personal reputation on the line.

How Bad is the Damage? 

The fallout of cyber extortion touches on many aspects of a company’s operations and success. A cyber criminal who obtains medical information, confidential business information, credit card details or codes – or who damages a service or system – sets in motion events that can have long-term repercussions:

  • An attack can hurt the company’s brand and reputation. Customers question the company’s reliability (in the case of a DDoS attack) or its ability to secure sensitive data.
  • It can lead to loss of income, as new customers opt to work with competitors once they hear of the attack.
  • There may be regulatory fines from the GDPR or other compliance-related organizations, if it turns out that recommendations were not implemented correctly or standards were not adhered to.
  • The company may be unable to offer professional services or to provide customer support during the attack, because of sites that were taken down or data that is unavailable.

CP_CP-C03-Blog61-ProtectingYourOrganizationfromRansomwareandCyberExtortion-202105

Protecting Your Organization

The most important means of protection against cyber extortion involves raising employee awareness, by implementing professional security training programs. Bottom line: All employees use email. And email is the easiest way through which ransomware seeps into an organization. As a result, it is crucial to make sure employees are trained to be on the lookout for suspicious emails.

As ransomware attacks increasingly use a variety of stealthy techniques to evade detection, it’s now seen as imperative to have an endpoint detection and response (EDR) solution that is built to detect behavioral anomalies at the endpoint – where ransomware attacks target. However, be sure to have a team that is continuously updating security policies and leveraging the tool’s hunting capabilities to proactively hunt for suspicious command lines or processes that have evaded detection. Our webinar here explains how you can get the most of your EDR solution.

CP_CP-C04-Blog61-ProtectingYourOrganizationfromRansomwareandCyberExtortion-202105

It’s also key to maintain up-to-date defense systems, and to implement relevant Indicators of Compromise (IoCs) such as file hashes, command and control domains and IP addresses. These can be accessed by IP reputation sites and commercial threat feeds or by an MSSP/MDR provider that has uses these across their customer base. This guide explains how you can integrate different applications of threat intelligence into your security program.

Finally, every company must have backups in several locations. One of these backups should be offline – providing you with a means of accessing your data even after an attack. 

If an organization does end up in a situation involving a cyber extortionist, be aware that negations must be handled by experts who have experience with these kinds of interactions. Handling a cyber extortion attack correctly may require you to involve not only cyber security experts but also professional legal services and regulatory experts.

Interested in learning more about how to protect your organization from cyber extortion? Contact us today!

Fabio Lior Rahamim
Written by Fabio Lior Rahamim
Lior has over ten years of experience in Information Technology, with a focus on cyber security. He is the author of an extensive blog on information security that is a source of up-to-date and comprehensive information for the Israeli security community, with over 3,000 views per month, and he is a regular contributor to Wikipedia. Lior has extensive experience in SOC management, incident response, auditing, penetration testing and cyber education.