Ransomware is currently one of the most common types of threat in the digital environment, and the number of attacks on companies and organisations keeps growing exponentially year after year. This type of attack however, has evolved significantly from the first time it appeared in 1989, and has become more sophisticated, organised and destructive than ever before. In particular, in the last two years cybercriminals have devised a new business model, an evolution from traditional ransomware, that allows them to maximise their profits: extortionware.

What is extortionware and how does it differ from ransomware?

Extortionware is a type of cyberattack in which threat actors steal large amounts of data from a company or organisation, and then use this stolen information to pressure the victim into paying a ransom. It is considered an evolution of ransomware, as the two techniques are used by threat actors in conjunction. As a matter of fact, threat actors typically use traditional ransomware tools to infiltrate a company’s system, after which they download and steal the victim’s data, before encrypting it and making it inaccessible. Cybercriminals then analyse the stolen data looking for valuable information, and contact the victim threatening to release the data to the public, if the ransom is not paid. Valuable data can include financial, medical and proprietary information, personal identifiable information of customers, employees and vendors, in addition to illegal and embarrassing information.
The technique of extortionware therefore differs from traditional ransomware attacks, in which threat actors gain unauthorised access to a company’s systems, and lock up the data by encrypting it. Traditional ransomware makes the data inaccessible without a decryption key, often leading the victim to halt operations for a period of time, and to suffer financial losses. Following a ransomware attack, the victim can either pay the ransom to obtain the decryption key, or not pay and risk losing all data, should there be no offline data backup.
With extortionware however, not paying the ransom could result in sensitive data being disclosed or sold to the public, business competitors, and other threat actors, which could lead to a severe reputational damage for the company. Cybercriminals can also look for anything incriminating or embarrassing on the company’s system in order to weaponize this information, and use it as leverage to pressure victims into paying. In this sense, extortionware combines elements from ransomware attacks and data theft.
The onset of the technique of extortionware can be attributed to the hacker group Maze in 2019. Due to falling revenues, as more and more businesses started maintaining offline backups to avoid having to pay ransoms, the Maze group changed their strategy by combining ransomware with data theft. After having witnessed the success of this new attack model, additional ransomware groups adopted this technique, including Clop, Revil/Sodinokibi, DoppelPayment, Conti, Netwalker, Mespinoza, and many more.
Extortionware attacks that have gained public attention include an attack on a large cosmetic surgery chain, in which cybercriminals threatened to post clients’ before and after pictures, and an attack on a major psychotherapy provider in Finland, in which the threat actors threatened to release patients’ sensitive information, including session notes. Individual patients were also contacted by the threat actors, who demanded that they pay $236 million in bitcoin to prevent the publication of their records.

The risks of extortionware
Extortionware can be an even more destructive attack method than ransomware, as it can lead to financial loss, reputational damage, and legal issues. In particular, extortionware attacks are more difficult to recover from for organisations and businesses. Following a ransomware attack companies can easily restore their data, without paying a ransom, if they keep an offline data backup. On the other hand, following an extortionware attack, having data backups will not be a solution, as threat actors will have a copy of the stolen data that they can use as leverage and publish for everyone to see.
This type of attack is growing exponentially also due to cybercriminals’ rapidly increasing technological capabilities. Following the attacks carried out by Maze in 2019, threat actors now have access to strains of ransomware that allows them to easily deploy and automate extortionware. In addition, the increasing popularity of the Ransomware-as-a-Service business model means that cybercriminals with low technical skills can pay a fee to use sophisticated malware that can infected devices and exfiltrate data.
Another driving factor for the rise of extortionware as a threat, is how lucrative this type of attack is for cybercriminals. By threatening to post information that could destroy the reputation of a company or of a private individual in a high position within the company, it is almost guaranteed that companies will be willing to negotiate a ransom settlement with cybercriminals.

Prevention
Extortionware attacks are difficult to defend from. Having offline data backups can help organisations and businesses recover from ransomware attacks. However, backups will not prove to be a solution for victims of extortionware, as only paying the ransom might prevent cybercriminals from releasing sensitive data, although this is never assured.
The only way to combat extortionware is through prevention, by making sure that threat actors do not compromise a company’s systems in the first place. This can be done by installing a comprehensive antimalware, and by keeping systems and software updated with security patches. Companies should also encrypt sensitive data, and enforce the use of MFA and strong passwords. It is good practice to also segment the network to limit access to sensitive and important data, and to monitor the network traffic. In particular, educating employees and third-parties on the importance of cyber hygiene, and training them to recognise social engineering attacks is also essential. Employees should also be reminded not to store any potentially harmful or embarrassing information on the company’s device and network.

Cybersecurity organisations are warning companies and private individuals about the rising threat of extortionware, that in 2020 alone caused over $25 billion in damages. The risk of this type of attack growing is even greater now that the prevalence of remote working means that more data is being saved on more devices, which might not always be appropriately protected. While ransomware is still a more prevalent threat, extortionware is set to grow rapidly in 2022, making it imperative for companies to upgrade their cybersecurity and train their employees.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference list:

• https://www.bbc.co.uk/news/technology-56570862
• https://www.bbc.com/news/technology-55439190
• https://blog.emsisoft.com/en/38394/what-is-extortionware/
• https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/
• https://www.corporatecomplianceinsights.com/extortionware-prevent-attacks-cybersecurity-threat/
• https://www.hipaajournal.com/hackers-blackmail-finnish-psychotherapy-provider-and-patients-and-leak-psychotherapy-notes/
• https://www.techtarget.com/searchsecurity/answer/Whats-the-difference-between-extortionware-and-ransomware
• https://www.techtarget.com/searchsecurity/news/450410538/Doxware-New-ransomware-threat-or-just-extortionware-rebranded
• https://www.theregister.com/2020/08/20/maze_crew_sk_hynix/
• https://www.varonis.com/blog/a-brief-history-of-ransomware

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.