Cyber-extortionists are liars

The good news about cyber criminals who go in for extortion is that they also tend to be liars. The bad news -- they're extremely difficult to catch.

Wade Woolwine, manager of strategic services at Rapid7, has dealt with his share of blackmailers who steal sensitive data from enterprises and then hold it for ransom.

Companies call in Rapid7 to help them figure out whether the blackmailers do, in fact, have the data they claim to have, to learn how they got into the system and to get them out, and to figure out how to deal with the blackmail itself.

Woolwine said that he's worked on under a hundred of these cases.

[ ALSO ON CSO: Ransomware: Pay it or fight it? ]

About a quarter of the time, the customer caves in and pays the ransom, typically between $10,000 and $25,000.

In return, the blackmailers promise to delete the data they stole.

Of course, there's no guarantee that the blackmailers will actually do that.

"There's the rub," Woolwine said. "They may not delete it. That's why the advice we give to customers is to not deal with attackers. Reach out to law enforcement and reach out to an incident response firm."

The other three quarters of the victims don't pay up. Some investigate first, and decide that the hackers don't actually have the data that they claim to have. Others just decide not to deal with the criminals.

Plus, if it's personally identifiable information that gets stolen, it still counts as a data breach whether a company pays up or not. No regular is going to take a criminal's word for it that they've deleted the data.

In either case, the blackmailers haven't followed through with their promises to expose the data.

"In the particular cases we've investigated, it's been an empty threat," Woolwine said.

One reason could be is that the data these guys go after -- trade secrets, source code, and intellectual property, is too hard to fence.

Or it could be that it's just not worth their time.

"They tend to move onto to the next victim," said Woolwine. "They're trying to find the most defenseless victim to go after and the victims are out there right for the picking."

Given their high success rate and the high ransom amount, even information like Social Security numbers, which has a ready market, isn't worth the effort.

"It's getting to the point where selling personally identifiable information on the open market is not as lucrative," he said.

Meanwhile, although he advises enterprises to call in the authorities when they're hit with an extortion attempt, he admits that it rarely does any good.

"They get caught approximately zero percent of the time," he said. "They are very cunning and they are typically in countries where the U.S. does not have extradition treaties or else they hide very well."

Cyber-extortionists target companies in all industry sectors, he said, and of all sizes.

"There isn't necessarily any rhyme or reason," he said. "They're just going after the companies they feel they can victimize the most."

Meanwhile, defending against these kinds of attacks is like defending against any other kind of breach, he said. Enterprises should have strong information security programs, keep their patches up to date, do regular vulnerability assessments, have proper access controls, and make sure that the only people who can see the source code are those who have a need to know.

The highly targeted enterprise-focused cyber-extortion attacks are very different from CryptoLocker and its variants.

CryptoLocker is malware that spreads itself, and targets individual machines instead of entire companies. Ransom amounts tend to be low, typically at around a couple of hundred dollars. Defending against CryptoLocker involves keeping systems patched, antivirus up to date, and having good backups.

"Having very good backups solves the CryptoLocker problem," he said. "You can just delete the system and restore the data from the backup."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsRapid7softwareCSOdata protection

More about CSORapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place