What is extortionware?
Extortionware is the latest stage in the evolution of ransomware. No longer content with simply encrypting a victim’s files, threat actors are increasingly using ransomware incidents as an opportunity to steal huge swathes of senditive data, which is then used as leverage in high-stakes extortion attempts.
In this post, we’ll go over the different types of extortionware, how extortionware has quickly become the norm among ransomware groups and why prevention – rather than reaction – is imperative when dealing with extortionware.
What is extortionware?
Extortionware is a form of cyberattack in which threat actors threaten to harm a target in some way if their demands are not met. Extortionware attacks tend to be highly targeted and typically impact industries that deal with sensitive or high-value data, including the medical, financial and educational sectors.
There are a few different types of extortionware, including:
- Release of compromised data: Threat actors gain unauthorized access to a target system, exfiltrate sensitive information and threaten to release or sell the stolen data unless the victim complies with demand. High-value stolen data may include financial records, intellectual property and personally identifiable information of the victim company’s customers, employees or suppliers. This type of extortionware may also be referred to as “doxware” and is comparable in many ways to traditional blackmailing.
- Threat of DDoS: Threat actors disrupt a target’s website or online service by launching a distributed denial-of service (DDoS attack), whereby a massive network of compromised systems is used to overwhelm a target web server. The attack, which blocks legitimate traffic and often completely disables an organization’s normal online operations, is continued until the target pays up. DDoS attacks have been around for more than 20 years and can now be readily purchased on the dark web.
- Why do attackers use extortionware?
Extortionware is typically financially motivated. Victims of extortionware are usually extorted for money, and payments are made almost exclusively in cryptocurrency, which is faster and more anonymous than fiat currencies. While cyber extortion is not a new concept, it has become increasingly popular among ransomware groups in recent years as threat actors look for new strategies to apply additional pressure to victims.
The rise of extortionware ransomware
The Maze ransomware gang was the first to incorporate extortionware into the ransomware business model. In late 2019, Maze published almost 700 MB of data stolen during a ransomware attack on security services company Allied Universal and announced that more data would follow if the company refused to pay the 300 bitcoin ransom. Data theft and extortionware standard practice, with dozens of other ransomware groups adopting similar tactics over the course of 2020.
What makes extortionware so valuable for ransomware groups? It mostly comes down to leverage.
Traditional ransomware – that is, malware that encrypts files and does nothing more – can largely be mitigated with an affective backup. While a successful attack is undeniably disruptive, it usually isn’t financially crippling, and victims can often restore their systems relatively easily and get back to business without paying for decryption.
Data theft and extortionware nullify the effectiveness of backups. Regardless of whether the victim can recover their encrypted files from backups, threat actors will always have a copy of the stolen data to use as leverage. The stolen data can be published on the web, sold to other cybercriminals or leaked to industry competitors, which can each lead to enormous reputational damage, loss of business and potential litigation.
Consequently, the victims of ransomware extortionware face enormous pressure to pay the ransom in order to not only decrypt their files but, more importantly, also stop the release of sensitive information. We have even seen some ransomware groups use extortionware as a way to double down on their chances of a payout, demanding one payment for decryption and another for the non-release of stolen data.
What’s the difference between ransomware and extortionware?
While “extortionware” is often used to describe modern ransomware attacks that include a data theft component, we believe that this definition is an imperfect one. The suffix “ware” implies a product, whereas data theft is more of an action – and one which can be accomplished in any number of ways.
So, while “extortionware” is sometimes used interchangeably with “ransomware”, there are some important differences between the two terms.
- Ransomware: Ransomware is a type of malware that blocks access to a target’s system or personal files and demands a ransom payment to restore access.
- Extortionware: Extortionware is a broad category of attack that encompasses all forms of cyber extortion. Ransomware groups use extortionware to weaponize stolen data and coerce victims into paying.
- Prevention is the key to stopping extortionware
While a robust backup strategy is an important part of any cybersecurity strategy, the threat of a data leak ultimately makes backups and other disaster recovery tools ineffective for combating extortionware. Instead, organizations must strengthen their perimeters and focus on preventing the initial compromise.
The following best practices may help prevent or limit the impact of extortionware:
- Update software when available
- Encrypt sensitive data
- Segment the network to limit access to valuable data
- Implement and maintain BYOD Security policies
- Enforce the use of MFA and strong passwords
- Train employees on cybersecurity hygiene and social engineering attacks
- Secure RDP
- Restrict remote access
- Monitor network traffic
- Install an update antivirus, which features a dedicated anti-ransomware component and a reliable cybersecurity solution