The COVID-19 pandemic has driven most organisations either online or out of business. As companies forcefully embraced a digital workforce, they were tasked with securing their remote workload and data from a variety of online threats. Unfortunately, this was uncharted territory for many, which led to the creation of a breeding ground for cybercriminals. Presently, as cyberattacks stand at an all-time high, modern-day hackers seem to be employing a new business model to amplify the success of their attacks and ransoms: extortionware.
We’re all familiar with the term ‘ransomware’ at this point. Credited as one of the most common types of cyberattacks, cybercrime usually pans out with an infected email. When its attachments are opened by recipients, all the files housed on the computer and network become compromised and encrypted. The hacker then offers to de-encrypt the files at a price.
Ransomware was 2020’s weapon of choice until hackers realised the potential of extortionware. Even more difficult to predict and protect against, extortionware attacks usually target high-profile companies and personnel. Cybercrime is more about the retrieval of data than its destruction or encryption. Once hackers gain access to your system and extract sensitive information, demands are made, usually for money, followed by a threat. For example, criminals may send your company’s intellectual property to competitors or distribute embarrassing data online unless they’re paid.
The major concern with this sort of attack is that even regular backups won’t help you stay protected. Once hackers get their virtual hands on your porn stash, there is nothing you can do about it. Even if you pay the pressurised ransom, the move won’t guarantee the restoration of your data, not to mention your reputation.
Ransomware, coupled with extortionware, makes a sturdy criminal business model. The BBC noted the immense potential of this rising trend for “affecting companies not just operationally but through reputation damage.” This statement was made following up a group of hackers who posted a screen grab of an IT director’s secret porn stash.
In a blog post on the dark web, the cyber-criminal gang named the director whose work computer allegedly contained the files. The screen grab posted to the blog featured dozens of folders catalogued under the name of various porn stars and websites. “Thank God for (name of IT director),” the caption read, “While he was masturbating we downloaded several hundred gigabytes of private information about his company’s customers. God bless his hairy palms, Amen!”
However, the post has been deleted in the last couple of weeks—proof, which experts imply that “the extortion attempt worked and the hackers have been paid to restore the data and not publish any more details.”
“Extortionware is the new norm,” stated Brett Callow, a threat analyst at cyber-security company Emsisoft. In an interview with the BBC, he labelled these incidents as “no longer simply cyber-attacks about data” but “full-blown extortion attempts.” “Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out.”
The analyst has been following ransomware tactics for years and admitted to witnessing this shift in methods in late 2019. “It used to be the case that the data was just encrypted to disrupt a company, but then we started seeing it downloaded by the hackers themselves. It meant they could charge victims even more because the threat of selling the data on to others was strong.”
Just yesterday, Representative Matt Gaetz, Republican of Florida and a close ally of former President Donald J. Trump, came under federal investigation over alleged claims of sex trafficking and potentially having a sexual relationship with a 17-year-old. “What is happening is an extortion of me and my family involving a former Department of Justice official,” Gaetz said in an interview with Fox News. “On 16 March, my father got a text message demanding a meeting wherein a person demanded $25 million in exchange for making horrible sex trafficking allegations against me go away.”
The former congressman seeked help against the blackmailing from the local FBI and the Department of Justice (DOJ) who asked Gaetz’s dad to wear a wire to record further extortion phone calls. “Tonight I am demanding that the DOJ and FBI release the audio recordings that were made under their supervision which will prove my innocence and that will show that these allegations aren’t true—they’re merely intended to bleed my family out of money,” Gaetz added.
The Maze ransomware group became the most notorious cybercriminal group for using extortionware methods in 2020. If companies refused to pay Maze’s ransom fees, these hackers exposed their data online through continuous data leaks that made it next to impossible to know when they would stop.
Given how lucrative extortionware is for hackers and the fact that ‘work from home’ is set to become the new norm, the cyber attack genre will continue to grow as a favoured practice post-pandemic. However, there are steps that organisations can take to ensure their data is sealed air-tight against such malicious threats.
According to Security Magazine, end-user data, NAS systems, file shares, virtual machines and SaaS applications including Microsoft 365 are particularly vulnerable to extortionware attacks. To ensure cyber resilience and protect these large sets of data, organisations are recommended to implement a “holistic security strategy that incorporates both protection and recovery.” This includes the deployment of protective measures while empowering resilience to minimise downtime when an extortionware attack happens.
“A strong data management approach, coupled with a robust protection architecture that includes reliable backup and disaster recovery helps ensure these applications remain protected and easily recovered,” experts at Security Magazine advise. This involves increasing your network perimeter security with a firewall as well as installing anti-malware software both on personal and work computers along with regular data backups. Organisations are also recommended to test their data recovery and backup solutions frequently to ensure optimal success against such cyber attacks.
As workload goes digital, almost every organisation is vulnerable to 2021’s extortionware storm. The fact that a whopping $20 billion was paid as ransom by various organisations in 2020 (almost double its $11.5 billion estimate from 2019) further pleads the case for them to prioritise data protection and recovery strategies. As we head into a digital-first age, these practices also have the potential to become the bare minimum operating policies customers will look for themselves in any company, no matter its size or industry.
Comprehensive and engaging cybersecurity training can raise employees’ awareness by up to 13 times. As our everyday activities have blended into the digital realm, cyber resilience has also become a topic for consideration, and its bits and pieces have permeated today’s film industry, too.
Cybersecurity awareness has kickstarted the tradition of man-versus-machine blockbusters which peaked with the premiere of The Matrix in 1999. The themes of online dangers and IT vulnerabilities are still popular today, yet the genre is slowly shifting from fiction to documentary—and people may find this a bit unsettling.
“What has been depicted as the ‘future’ some twenty or thirty years ago has become commonplace today. People are used to constant innovation and utilise technological achievements to make their lives more convenient. Yet cybersecurity still lags behind, and the big screen now tries to raise awareness by depicting the other side of digital progress,” says Juta Gurinaviciute, the CTO at NordVPN Teams.
Here are 5 must-watch documentaries for anyone looking to learn more about cybersecurity and everything that revolves around it:
The name says it all: this documentary digs into the Cambridge Analytica scandal and the organisation’s part in the 2016 US Presidential election. The British company used Facebook as a means of “political-voter surveillance,” and leveraged the collected data to influence voters, contributing to Donald Trump’s victory as well as the UK’s exit from the EU—Brexit. The movie warns about the vulnerability of personal data and how it can be used to affect social behaviour.
Some experts suggest this documentary should be shown to children to raise their cyber awareness and educate youngsters about the threats lurking online. The picture recreates the history of computing and the internet, showing how hacking as a hobby turned into a national security concern. But compromising computer systems is only one part of the picture, the other being concerns about our private data and what malicious actors can do with it.
The documentary looks behind the scenes of major cybersecurity incidents of the last decade and introduces the people who helped to contain them. The movie unveils the hacking attempts of the London Olympics, the San Francisco transport system, The New York Times, Sony Pictures, and other victims. In these attacks, malicious actors managed to leak five movies, myriads of social security numbers, and millions of emails. By interviewing people who tried to stop the attacks, the creators of the movie reveal the secret dynamics of every data breach.
The winner of the Academy Award, multiple Emmys, and the Grammy, Zero Days is sometimes called the most important documentarian of our time. The movie focuses on the infamous Stuxnet worm, malware that compromised the Iranian nuclear reactor program. The well-researched and informative documentary tries to find out who has designed the virus and why. More importantly, it raises the question of what would happen if unstoppable malware is employed by hackers and set to roam free on the internet?
“If you get anything for free, you’re the product”—the popular marketing mantra goes. In exchange for private data, internet users can access free and well-designed services, from social media to productivity apps. But at what cost? As most of us don’t read the Terms and Conditions before agreeing with them, award-winning filmmaker Cullen Hoback has done the background work for us. He tries to investigate what corporations and governments are doing with users’ data and if it is possible for them to opt-out.
“Learning and education is the main way to keep up with an evolving threat landscape. In addition to formal cybersecurity training, chief security officers should employ entertaining and inclusive teaching methods. Showing your team a well-researched documentary will expand their knowledge and build awareness,” says Gurinaviciute.