05 March 2016
by David Balaban
The new era of cyber extortion
Online extortion is on the rise. In pursuit of new victims and markets, it is mutating in terms of characteristics and attack vectors. Moderncyber weapons include DDoS attacks, file encryption and device locking, all supported by social engineering and backed by the anonymity of Tor and Bitcoin.
Cyber extortionists first flung ransomware at individual users, via mass spamming campaigns. Then, they turned to targeting businesses and organizations, via specially crafted spear-phishing emails.
Ransomware initially targeted personal computers. With the emergence of Linux ransomware, servers and websites hosted on them started to be hit as well. Future targets will be even more high-level, and we’re already getting a glimpse at what the future holds:
A ransom Trojan infected the UK Parliament systems in November last year. It hit a shared drive used by about 8,500 government employees. Publicly revealed government secrets can lead to serious political or even war conflicts.
Israel's Electricity Authority, a government department providing utility services, was infected with ransomware that spread throughout its network. This attack put Israel’s critical infrastructure at risk. Paralyzed power grid, water or gas supply systems may call forth more horror than the worst natural disaster.
Fortunately, none of these attacks was pernicious,but somecyber extortion campaigns have ended up tragically. A Romanian citizen ended his son’s and his life when he saw a ransomware notification demanding a fine of $21,000 for watching prohibited pornographic content. Having seen a ransom message impersonating the UK police, a 17-year-old college student committed suicide.
The cyber extortion industry is already progressing at a rapid pace. How much time can it take for something more dreadful to start happening in the continuously evolving Internet world? Any of the above three attacks can be the most cherished dream of a movie character like Dr. Evil, who routinely devises schemes to terrorize and take over the world. I am notsure that no ill-disposed scientist, dictator or billionaire is planning to turn the earth into hell. In the era of IoT, ransomware provides such opportunities. Hacking for money is just one reason, but hacktivists or terrorists may have much more dreadful motivations.
Here is another real world example. Individuals and businesses are moving to the cloud. Cyber extortionists are doing the same. A company called Children in Film uses an application that maps the cloud drive as a local disk on a customer’s HDD. One wrong click to open a catchy email attachment got the cloud drive encrypted. According to their hosting provider, the infection compromised other clients on the same server as well. Ransomware acts swiftly and very profoundly.
The modern tech world gives cyber extortionists huge opportunities. A lot of things proved to be vulnerable and can pose a serious risk if hacked. For example, the security of modern vehicles is fairly weak. It doesn’t take a genius to break RFID car locks. Researchers have demonstrated how to hijack a Jeep as it hurtles down a St. Louis highway.
It’s very easy for criminals to find unprotected surveillance web cameras and other digital appliances. They utilize a special search engine for Internet-connected devices. It’s called:Shodan. Web cameras are tasty morsels for offenders. Security experts predict that medical implants, various wearable devices, and IoT stuff are next targets. Just imagine the display of your home scales say: “Hey, 2 Bitcoins or I tweet your weight history out.” Or a scarier one: “Want to keep using the pacemaker? Pay me 2 Bitcoins.”
Researchers have reported more than 300 vulnerable medical devices by 40 different manufacturers. They use hard-coded passwords that the customer cannot change. Criminals can find these credentials in publicly available manuals. Cyber extortion doesn’t necessarily rely on complex crypto. It may just lock a device or perform little data manipulations.
Ransomware has attacked appliances with built-in Smart TV technology as well. Candid Wueest from Symantec did a viable proof of concept in this regard. It’s within the realms of possibility that any hacked device with Internet access can become a node in a botnet, or it may be exploited for conducting click fraud campaigns and DDoS attacks. TV viruses can also record and steal account credentials and suchlike sensitive data. The scammers can then lock the device and demand a ransom so that things get back to their normal state.
The current IoT trends encourage users to put their products online and stuff them with a maximum of features. In the meanwhile, it’s reasonable to assume that things like connected fridges may lack “secure by design” characteristics. Researchers expect about 25 billion connected 'things' to appear by 2020. From a single point of compromise, such as a digital certificate, hackers and cybercriminals can take over a whole network of thousands or even millions of smart things.
Secret data can also be a honeypot for cyber extortionists. Banks conceal the actual scope of credit card fraud. Criminals can blackmail politicians and large corporations because they have secrets. The attack surface is huge, so we should efficiently respond to these processes.
What can we do now? It’s a good idea to try to make cyber extortion unprofitable. We should stop paying and tell the world about it. People and organizations are already stating upfront that they will not pay. Ransomware attack paralyzed Lincolnshire County Council network. The Council’s representative said they would not pay up. Similarly, several premium email providers hit by DDoS attacks refused to submit ransoms.
Law enforcement agencies should take down the underground infrastructureas often as possible. It’s not easy but worthwhile. The takedown of CryptoLocker back in 2014 is a good example. The attackers should stop thinking that they are beyond the reach of law enforcement. Negotiating the price, taking time and trying to wheedle more info out of the scammers – that’s what can also help track them down. They are usually young and unprofessional, and they make a lot of mistakes. Another vector has to do with the operation of crypto-currency companies. They should be more regulated and monitored, at least, when it comes to ransomware investigation cases.
The next step is to enhance computer users’ security awareness. People should exercise more caution concerning things like suspicious email attachments. Backups should become a good habit. Backups can resolve all problems associated with encrypted or infected files.
Users hit by ransomware should not pay immediately. Psychological factors have always played significant roles in blackmail scenarios. Stresspreventsvictims fromadequately weightingup the risks. The shock factor should not distract us from dissecting the situation soberly and implementing all possible recovery options.
The concept of cyber extortion hasn’t reached the peak of its maturity. The security industry and users should take this into account and prepare for future attacks.