Meet Extortionware, the Lazy Cousin of Ransomware

You likely remember the massive HBO hack earlier this year that caused scripts and full episodes of shows like “Games of Thrones” to be leaked online. Recently, authorities revealed they have identified the attacker as Behzad Mesri, who has previously worked as a hacker for the Iranian military. He originally blackmailed HBO, threatening to leak the sensitive material if they did not pay him an exorbitant amount in bitcoin. The kicker is that while he was suspected to have infiltrated HBO’s systems using powerful malware, he in fact had simply hacked into their systems using phishing. He used basic hacking intelligence to extort one of the most powerful entities in Hollywood - and it worked.

In our recent collaborative research with Check Point Software Technologies on the Cerber Ransomware, we exposed a fledgling marketplace on the Dark Web that combines sophisticated malware development with low tech ease. In a sense, you don’t need to have a high ‘hacking IQ’ to spawn ransomware. In addition, we discovered in our research collaboration with Imperva on “Phishing as-a-Service” that methods for gaining access to data (like phishing) have become more affordable than ever, reducing the barrier to entry for hackers. It’s the rise of “extortionware for dummies” -- anyone can do it.

In fact, some hackers have found that they don’t even NEED to hack; they simply need to claim they have the sensitive information, and vulnerable organizations and individuals will panic and pay the ransom. Copycats have sprung up, using the identity of famous attackers to scare people into paying without developing complex programs or procedures.

In the UK, 40% out of 500 surveyed IT decision makers in companies with 250 or more employees had experienced a fake ransomware attack - and 60% admitted paying the ransom on demand (the average sum was a whopping 13,400 Euros).

Another interesting way to commit extortion without actually locking the victim’s system is to recruit an insider that will provide the attacker with the sensitive information and required accessibility to perform everything without the hassle of malware. As we discovered previously, insiders have become an important asset for attackers. In fact, across the dark web, attackers discuss how company insiders can be better than ransomware:

  1. The attackers often send the victim a sample of sensitive information/ files as a proof of their occupation and control of the victim’s system. An insider can provide the attacker with such sensitive information with little to no effort.
  2. Company decision-makers often use a variety of devices like laptops, mobile phones, etc. to access their company accounts. This decreases the odds that they will access malicious files from a platform that contains sensitive information. An insider would be critical in reaching those who are savvy enough to not upload or download malicious software in the first place.
  3. An insider can technically help to execute a ransomware-like GUI with a bitcoin address for ransom, without malware.

The ease and affordability of ransomware is chilling. The ubiquity and availability of it in our culture is only increasing, and organizations and individuals must be proactive in protecting themselves from it.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.