The Face of Corporate Digital Extortion


There’s a certain art to coercing an individual or an organization for money through force or threats. This holds true historically—after all, extortion has been around for a long time—and for more modern forms of the practice.

The legal definition in most states is some variation of “the gaining of property or money by almost any kind of force, or threat, including violence, property damage, harm to reputation, or an unfavorable government action.” Note that any interstate commerce used in extortion can be treated as a crime.

The “Chicago Outfit” was part of the American Mafia dating to the early 1900s and was the most powerful in the Midwest. The Chicago mobster scene was well known for its criminal activities, which included extortion. The protection racket was quite a money maker whether you, your property, or your business needed protection—the threat of violence was enough for you to pay up! Individuals were even extorted financially to maintain their own personal reputation, saving themselves from potentially embarrassing, socially damaging, or incriminating activities being exposed to the public.

This all sounds familiar, doesn’t it?

Gangsters
Mobsters might not look like this today, but extortion is alive and well online. Photo by: Orin Zebest

Digital Extortion Threat Actor: The New Mobster

The new mobster is a cyber-extortionist, and in the digital age the transaction types have changed along with the increased volume of crimes. Visibility into these crimes has never been greater, and they’ve been known to take down individuals and corporations as a result. Cyber-extortionists use attacks like ransomware, distributed denial of service (DDOS), and phishing to achieve their goals, rather than the more primitive attacks of the traditional mobster.

Their goals, however, are still the same—using threats of damage or embarrassment to make money from their victims. Understanding the means, opportunities, and motives these threat actors use will help us counter the “New Mobster’s” attacks using the right tools, training, and tactics for the job.

It helps to understand who your potential attackers are. Below is a quick look at various threat actor categories as defined by Verizon Data Breach Digest:

  • External threats—originate from sources outside of the organization and its network of partners. Examples include criminal groups, lone hackers, former employees and government entities. Typically, no trust or privilege is implied for external entities.
  • Internal threats—are those originating from within the organization. This encompasses company full-time employees, independent contractors, interns and other staff. Insiders are trusted and privileged (some more than others).
  • Partners—include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers, outsourced IT support, etc. Some level of trust and privilege is usually implied between business partners.

What’s at Stake and the Weakest Link

The traditional mobster understood who in the neighborhood was the most vulnerable for them to attack. Today, the violence has taken on the new form of data held hostage, and our neighbourhood has expanded. Our local corner stores are containers, mobile devices, and cloud infrastructure that contains a wealth of assets. It’s also hard to evaluate their value because they fall into the category of “intangible assets.”

Intangible assets are the real source of value in a corporation (i.e. intellectual capital, research and development, and brand names). The Business Dictionary states that “Whereas tangible assets add to an entity’s current market value, intangible assets add to its future net worth.”

From this we have seen a shift in our economy that has moved us from an industrial manufacturing era to an information services-based period. As a result, digital extortion continues to gain a greater foothold.

Some questions corporations should consider asking are:

  • Can I identify my risk?
  • How is my data protected?
  • How is my information being used?
  • Where are my assets that I have in my environment that need to comply with regulations?

The Value: Understanding Your Relative Risk

Success is based upon being informed, which indicates that digital information is the key to capital and is a major player in the world economy. Return on investment is now linked to non-physical factors, creating new ways to measure and manage digital information. We have new commodities that are becoming our ROI.

With these sources there isn’t currently a standardized method for measuring or auditing the value of intangible assets. However, we know as intangible assets become sources of value, it will be key to have a solution that can capture, preserve, manage, collaborate, and identify the “right” assets, whether it is for historical purposes or socialization of these assets for monetization.

Remember, monetization of assets in this context is not for criminal gain. It provides an awareness into what’s at risk and keeping the data out of cybercriminals’ hands for extortion. Creating a window into your corporate data allows you to effectively protect against cyber-extortionists. Three specific areas that you can focus on are:

  1. Know that if a breach occurs you can put the right response in place
  2. Understand the risk associated with digital information in your organization
  3. Acknowledge the street value of sensitive data and its effects.
Investigation
Security & Intelligence
Posted on October 18, 2018 by Tish Looper