Best practices in case of a cyber extortion
1. Typology of cyber-extortion cases
The most common type of cyber-extortions is perpetrated through crypto-ransomware. Attackers first use a malware to encrypt files on the infected device, and then ask for a ransom to reveal the key needed to decrypt the compromised files. These attacks target both individuals and private companies.
Private companies may face two other forms of attacks:
First, they may be blackmailed following data theft. The most notable examples in the past few months are the attacks launched by Rex Mundi. The group typically steals sensitive or confidential data such as client databases, and requests a ransom for not revealing their gain. This would make the attack public, which could be damaging for both targeted companies and their clients. A number of companies such as Dexia, Xperthis, Voo or Labio have suffered attacks by Rex Mundi.
Another type of cyber-extortion features DDoS for ransom, a type of attacks in which Armada Collective hackers specialise. The modus operandi is simple and effective: targeted companies are sent a ransom email threatening to launch a large scale DDoS attack on their website failing payment. Most victims are medium size companies with a business model based on online trade (products and services alike) such as the Swiss message service provider ProtonMail, which was attacked in November 2015.
2. Implementing best practices
a) Before cyber-extortion attempts
A series of good practices help avoiding that cyber-extortions attempts end with ransom demands.
Implementing a frequent data back-up and recovery strategy is essential. Back-ups need to be separate from traditional users’ networks so that they cannot be encrypted in case of a crypto-ransomware attack. In such case, the system can be recovered with no need to pay the requested ransom.
Cybersecurity tools/solutions on client webmails and operating system (antivirus) can also prevent malware from spreading. They need to be combined to a frequent update of both the operating system and all the software installed on the company’s IT equipment.
Human beings are always the weakest points in the system. It is therefore crucial to raise awareness among the company’s employees so they can adopt non-risky behaviours. For instance: never click on links, never open attachments sent by unknown senders, and never share personal information or banking details with seemingly legitimate organisations (banks, Internet providers, tax services, …)
Good practices also apply in cases of blackmailing following data theft within the company. They are usually perpetrated through a spam containing a malicious attachment, or via a URL redirecting to a compromised website. Once the system is compromised, malware are deployed to steal the targeted information.
Threats also come from inside: ill-intentioned employees can set up a cyber-extortion attempt and threaten to disclose sensitive/confidential data. Therefore, it essential to manage accesses through a strict hierarchy of rights and through compartmentalisation.
b) During cyber-extortion attacks.
In the instance of blackmailing following internal data theft, assessing the veracity of the data stolen is crucial. A number of hackers specialise in cyber-extortions based on false information and take advantage of their victims’ gullibility. The same goes for the attackers: some usurpers have mimicked Armada Collective’s style to send mass blackmail emails to SMEs. These often concede to attacks that are only hoaxes.
It is highly recommended to never pay a ransom because payment is not necessarily a guarantee. Many victims end up paying a much higher amount than the initial ransom demand. Exchanges often begin on a cordial tone to win the targets’ trust. If they give in to the first blackmail attempt, attackers do not hesitate to abuse their weakness to extort more money, using social engineering techniques to maximize their profits. Good crooks do not exist, and paying the ransom only encourage them in their fraudulent behaviour.
Many victims refuse to file a complaint for a number of reasons. First, they wrongly consider this as a waste of time. Besides, they are not keen to communicate on the results and consequences of an attack that could damage their image and reputation with their clients, providers and partners. This, however, is a poor strategy that can only contribute to reinforcing attackers’ feeling of impunity. It confirms the relevance of their modus operandi and encourages their malicious behaviour. Therefore, it is vital to file a complaint for every ransomware attack. Seeking assistance from qualified professionals can also help.
In case of a proven attack, it is essential for the victims to seek assistance from a panel of experts used to managing such situations. Implementing a back-up policy or recovering a company’s IT equipment is not easy for all SMEs. Specialist service providers are in the best position to handle such complex situations. If the attackers publicise the sensitive/confidential data, a crisis management plan needs to be implemented. Communication is central in these instances, and it also requires assistant from a specialist.
- EncroChat: Deciphering of the End-to-End Encryption Service Used by Criminals Cybercrime
- Preserving Digital Footprints and Cyber Resilience: Training the Swiss Police Cybercrime
- Ransomware in Six Questions (by the Ministerial Delegation to the Security Industries and the Fight Against Cyberthreats, French Ministry of the Interior) Cybercrime