No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Extortionware Is on the Rise. Here’s How to Anticipate and Prevent Attacks Before They Happen.

What Organizations Need to Know About This Growing Cybersecurity Threat

by Rob Shavell
May 25, 2021
in Cybersecurity
A pixilated image of a hacker at work, perhaps on extortionware.

While organizations around the world are coming to terms with ransomware, a new cyberthreat is growing in popularity. Extortionware  attacks can affect both organizations and individuals, and may continue to pose a risk long after defenses have been breached.

When hackers gained access to a system in the past, they rarely cared about specific details within the data they encrypted or stole. But extortionware is changing that.

Ransomware remains the fastest-growing category of cybercrime. It occurs every 11 seconds and is responsible for a large part of the $6 trillion of damage that hackers will inflict this year alone. In 2020, incidents of ransomware grew by 458 percent, according to Bitdefender’s 2020 Consumer Threat Landscape Report.

What makes ransomware distinct from past forms of corporate data breaches is that, in its simplest form, the aim of a ransomware attack is not primarily to “steal data.” Instead, ransomware encrypts data necessary for ongoing operations and denies access to the victim, which can shut down a business indefinitely. Stealing and selling data isn’t the point. Instead, these attacks extract payment in exchange for decrypting data and “returning to normal.”

In other cases, cybercriminals will target specific data sets in order to steal them. Historically, exploiting details within datasets has often been the aim of other individual bad actors, downstream of the hackers themselves.

Extortionware, meanwhile, combines elements from data theft and ransomware models. For cybercriminals using extortionware, any sensitive files or personal information about employees extracted from a victim’s servers or found via other sources are now a valuable tool for either facilitating ransom payouts or demanding ongoing payments.

Ransomware- Encrypting your data and holding it for ransom.
Extortionware – Hackers steal your data to extort money as exposing this data will cause even more harm than losing it.#extortion @dataprotection #itsecurity #cybersecurity #informationsecurity #datasecurity #infosec

— Parvez Diwan (@ParvezDiwan) April 27, 2021

The damage radius from an extortionware attack can be wider and more prolonged than that of a ransomware attack. In an example from 2017, cybercriminals released unseen episodes of the TV show “Orange Is the New Black” even after receiving a payment from Netflix. Late last year in Finland, a data breach of a psychiatric care provider’s records saw hackers demanding payments under threat of exposing patients’ mental health evaluations. Worryingly, in this case, the hackers not only requested payment from the provider, but also targeted individual patients. A successful attack on a U.K. weight loss clinic recently resulted in similar demands where threat actors used before-and-after shots of well-known patients as leverage for targeted payment requests.

What might seem like otherwise unimportant personal information is now being weaponized by cybercriminals to extort both individuals and connected organizations beyond just initial payment demands. Sizing up this threat, cybersecurity company Emsisoft estimates that extortionware attacks caused $25 billion in damages in 2020, a sum likely to rise further this year as cybercriminals refine their methodologies.

Technology Is Making Extortionware More Available

While the concept of extortion and even cyber extortion is nothing new, the growth in this kind of attack mechanism is being driven by several factors, including rapidly increasing technological capabilities among threat actors. Starting with attacks from the Maze group in 2019, cybercriminals now have access to strains of ransomware that enable this devastating double method of extortion (i.e., encrypting victims’ data while also stealing this data and threatening to expose it if payment demands are not met).

Even though the Maze group has made enough money to retire officially, cybercriminals have easy access to other advanced ransomware strains, like Doppel Paymer. These new strains allow bad actors to move laterally within networks and search for potentially compromising material long before a victim discovers an attack or their systems are shut down. As a result, even after a victim pays an initial payment demand, more demands are likely to follow based on the threat of information exposure.

These highly capable strains are also accessible to more threat actors than ever, thanks to the evolution of Ransomware-as-a-Service. Because threat actors can now effectively “subscribe” to ransomware providers, similar to legitimate SaaS business models, the availability of advanced malware has skyrocketed. For as little as $500 per month, threat actors can leverage malware – previously only available to well-funded or state-sponsored groups – that is capable of paralyzing and exfiltrating data from the most well-defended organizations. The unfortunate side effect of more effective, lower-cost ransomware is that cybercriminals now have more resources free to focus on deploying attacks in the first place.

The Potential for Weaponized Information

In addition to increased technological capability, cybercriminals using extortionware are benefiting from the growing volume of employees’ personal data accessible online. By combining information volunteered by employees through social media with what can be found for sale by data brokers, building up an accurate picture of an individual within an organization is regrettably easy. Matched with any compromising information uncovered during a data breach, employee personal information profiles can be quickly created and weaponized by cybercriminals.

On one level, employee personal data allows cybercriminals to craft more effective social engineering campaigns and phishing scams, and thereby multiply their extortion efforts. However, by placing extreme pressure on individuals by threatening to release compromising information, cybercriminals can also elicit irrational behavior to aid their path to a ransom payout from a victim’s employers. An individual within an organization, under the pressure of having sensitive personal information about them published, is naturally more likely to make the kinds of errors or disclosures that result in a broader breach.

Your Organization’s Unsecured Risk Vector

Even with network endpoints hardened and protected by advanced antivirus solutions, organizations are still increasingly vulnerable to extortionware tactics. This vulnerability stems from the hard-to-defend nature of the primary extortionware attack vector within most companies: employees.

Because they inadvertently, negligently or, in some cases, intentionally facilitate the vast majority of data breaches, employees remain the number one security weakness for most organizations. With employee error the cause of over 90 percent of data breaches, the rise of extortionware is likely to make the human weakness within most organizations’ security posture even more pronounced.

The easy availability of personal information collected by data brokers such as Acxiom, who offer for sale information including phone numbers, home addresses and email addresses for over 2.5 billion people, further compounds employee vulnerability. Seeing how threat actors can identify and profile targets for both network entry and extortion legally online, deploying extortionware is easy.

Defending Against Extortionware

With extortionware making both technological defenses and – through its continued method of action – remediation efforts ultimately less likely to succeed against attacks, organizations need to focus on hardening the human aspect of their cybersecurity approach.

Doing so means taking a proactive stance to employee protection across two broad fronts: training and organizational culture.

Implementing Extortionware-Focused Cybersecurity Training

Though the vast majority of organizations carry out some form of security awareness training, studies show that about 40 percent of employees don’t know what ransomware is, and almost 50 percent are oblivious of how to respond to a ransomware attack. Since extortionware is a relatively recent trend, it is more than likely that even more employees are unaware of this new cybersecurity risk — and the actions they should take if they fall victim to this crime.

As such, it is vital that employers provide staff with extortionware awareness and resolution training. Giving employees access to resources to deal with extortionware in the event that they are targeted, along with a promise of assistance in resolving the situation, is equally important.

However, bear in mind that the vast majority of employees tend to forget most of the material covered during training sessions within just two days. For training to be effective, it needs to be regular, relevant and lead to a pathway for employees to escalate concerns about extortion to their managers without fear of repercussion.

At the most basic level, getting training right also means tailoring its delivery to the reality of employee lives. Most employees are already struggling to keep pace with the growing demands from increasingly connected working environments. Rather than getting them to sit through lectures, organizations should reconsider how they can incorporate gamification and challenge-based learning into training sessions — techniques that have been proven to be far more effective at improving employees’ retention of security training.

Creating a Culture of Security

Besides training employees to avoid threats like extortionware, effective human-based cybersecurity also means ensuring your organization’s cultural response to security issues is beneficial.

This concept entails taking steps to increase openness around security within an organization and avoiding a “cover-up” culture that can rapidly escalate extortion-focused cyber threats. If an employee is being threatened with extortion, they should feel confident in their ability to inform their superiors safely and in confidence.

Safe organizations take a proactive rather than a reactive approach to their employees’ personal online security. Having a proactive, security-aware culture means offering employees steps to protect their private information security both within and outside the workplace – training them on how to take back control of exposed personal information while also giving them actionable advice and tools to stop their personal data from being exposed in the first place.

Final Thoughts

As parts of the world emerge from the COVID-19 pandemic, financially motivated threat actors show no sign of slowing down their efforts to find new ways of maximizing their chances of receiving a financial return. At the same time, despite record spending on cybersecurity, the human weaknesses at the heart of most organizations continue to grow more vulnerable.

Extortionware is the result of this paradox and, as long as employees form the most vulnerable part of an organization’s defensive posture, the threat that extortion poses will keep climbing. To protect the organization effectively, organizations need to double their efforts to secure their most valuable resource — their employees’ personal information.


Tags: CybercrimeRansomwareTraining
Previous Post

Report: Director Compensation at a Crossroads as Boards Weigh Bigger Workload with Economic Sensitivities of Pandemic

Next Post

The Conference Board: Director Compensation Practices in 2021

Rob Shavell

Rob Shavell

Rob Shavell is CEO of Abine / DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

2023 EEOC and Employers: Investigating Harassment and Discrimination

2023 EEOC and Employers: Investigating Harassment and Discrimination

by Aarti Maharaj
March 14, 2023

With employment discrimination on the rise, EEOC encourages employers to provide anti-harassment training to their employees and managers and to...

Onboarding Best Practices for Millennial and All Employees

Onboarding Best Practices for Millennial and All Employees

by Aarti Maharaj
March 14, 2023

Reducing turnover and fast-tracking new employees to productivity is a key business imperative. The reality is that about 30 percent...

Risk Analysis in the Medical Device Design Process

Risk Analysis in the Medical Device Design Process

by Aarti Maharaj
February 24, 2023

Medical Devices by their very nature must be safe for human use and must meet the requirements for which they...

Next Post
$100 bills

The Conference Board: Director Compensation Practices in 2021

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT