Cyber Extortion Getting Renewed Interest from Criminals

By Allen Bernard

(Back to article)

If the signs are right, then, sometime in the next six-to-12 months or sooner, companies may be facing a new form of an ages-old (even in Internet years) practice: Extortion.

Even though cyber-extortion—where a group of criminals encrypts data and holds it hostage (ransomware) or threatens a massive denial-of-service (DoS) attack if you don't pay—pre-dates the Internet age by a decade or so, a new wave of criminals is dusting off the practice.

"We are observing certain, although below-the-radar right now, certain activities in the cyber-extortion area. In particular, to do with new and better technologies," said Maksym Schipka, senior antivirus researcher for Message Labs, a provider of messaging security and management services.

These new technologies—or at least new ways to use existing technologies—include over a million bots detected by the company in the past couple of weeks and the use of RSA 660 encryption algorithms that are virtually unbreakable without the key.

Other Security Articles on CIO Update
Malware Metamorphosing, But This Ain't No Butterfly

The Best Defense Against Social Engineering

Zombies Control Half of Windows PCs

FREE Tech Newsletters

According to Schipka, proof-of-concept work is being conducted in primarily Eastern European countries on perfecting ways to unleash these bots on unsuspecting companies and their customers in the form of ransomware—where RSA 660 is used to encrypt files or entire databases including back-ups.

"This number does keep rising," he said. "There's a lot of activity right now on the forums these bad guys use to communicate."

Over the last few weeks alone, MessageLabs has tracked a 25-to-30 percent increase in bot traffic, mostly in the form of "personalized" or "targeted" spam. This is "massive" increase in activity, said Schipka.

If the beta trials work out successfully, a whole new wave of malware could roll West encrypting critical corporate and personal data and infecting personal PCs with keylogging Trojans that will, in turn, use that information to steal identities and target individual's financial accounts. By default, banks and other financial institutions may be particularly at risk.

While most of these firms are prepared to deal with attacks on their corporate assets a new wrinkle in the game may be black-hats going after a company's customers and, by proxy, the company itself, said Barrett Lyon, founder of Prolexic, an DoS security firm, and now co-founder of CTO of start-up Bit Gravity.

"I think by targeting the individual you could still target a corporation," he said. "So, if you wanted to attack Ameritrade you attack Ameritrade's clients and just destroy their accounts, transfer money and, as a result, you're attacking Ameritrade. If you … think about what kind of financial calamity that would cause it's pretty significant."

While anyone attached to the Internet is at risk, Richard Stiennon, former VP of Threat Research at WebRoot and now running his own security-analysis firm IT Harvest, believes banks and other financial institutions as well as stock exchanges are next big targets for cyber-extortionists.

The attacks will not necessarily target the companies directly but will go after the back-end support system operators like third-party payment processors where security may be less sophisticated than, say, a JP Morgan Chase or Bank of America.

The stock exchanges have security, said Stiennon, "however, they're not ready for the kind of DoS attack that could be launched against them. The only question is: Can somebody pull it off and extort enough money to make it worth their while to attack them.

"I believe that in the not too distant future (stock exchanges) will suffer those kind of attacks."

Attackers will probably use the million-plus bots at their disposal (they can rent the ones they don't control now) to go after an exchange's DNS servers, said Stiennon, effectively shutting down the exchange's ability to conduct business over the Internet. A crippling blow and an attack most organizations would probably pay to stop, said Lyon and Stiennon.

"My gut feeling is, if you're a manager and you're in a position where you could make a problem go away and buy yourself enough time to fix a hole, your going to pay that," said Lyon. "The problem is, once you start paying, it gets around in those communities that you will pay and then you become a bigger target."

That's why Charlie Johnson, who leads Symantec's Global Consulting Group, always advises his clients to contact law enforcement instead of caving to the demands extortionists. Of course, this could be pretty inconvenient and expensive if sensitive databases are encrypted and held hostage—especially given the poor state of cooperation between international law enforcement agencies.

Yet, even Johnson who agrees with Lyon, admits many companies will pay the money just to get their servers back on-line as fast as possible.

"What were still finding is they're very reluctant to bring law enforcement in to help them with it. … the really smart ones will bring in law enforcement … because, if you don't shut it down, they'll keep coming back."

And therein lies the heart of the problem and very good indication that most companies pay, said Stiennon. "The way you can tell (if companies pay) is if the attacks continue. I believe, just from conversations with bankers, they would cave in a minute to demands for money to stay up."