Cyber Extortion: What You Don’t Know Can Cost You

The NJCCIC has been talking a lot about the topic of cyber extortion lately, and with good reason. Just two months into 2016, there have already been a number of cyber extortion attacks across the country, impacting all kinds of individuals, businesses, and organizations. We don’t see this trend subsiding any time soon, because more and more criminals are discovering that it’s a quick and effective way to make a lot of money in a short amount of time. With a myriad of free and low-cost tools at their disposal, these profit-motivated, tech-savvy criminals are able to easily launch an extortion campaign against their victims knowing the potential rewards far outweigh the risk of getting caught.

For instance, on February 5, the doctors and staff at Hollywood Presbyterian Medical Center in Los Angeles, California lost access to their computer files and network shares when they became victims of a brutal ransomware attack. The criminals behind the malicious software that encrypted files and crippled the hospital’s network demanded an astonishing ransom of $3.6 million to restore access. IT professionals worked around the clock for almost two weeks attempting to fix the problems the malware had created. Unfortunately, there was no way to break the encryption without paying the ransom. Although specific details of the attack have not yet been released, the media reported that, on February 17, the hospital’s CEO relented and paid $17,000 to the crooks in exchange for the decryption key.

At the same time, online florists across the country became victims of a different type of extortion scheme. Instead of dealing with encrypted files, however, these victims experienced distributed denial of service (DDoS) attacks that knocked their websites completely offline. One cybersecurity company in particular, Incapsula, recently reported on their blog that they detected a sharp increase in botnet traffic directed towards florists’ websites. They even stated that one received a ransom note but no further details were released. The week leading up to Valentine’s Day is the busiest time of year for florists nationwide, so it’s easy to see how they’d make attractive targets for criminals launching cyber extortion campaigns.

If those examples weren’t bad enough, a new extortion trend is rapidly developing within New Jersey’s own borders. Dubbed “virtual kidnappings” by the FBI, criminals are using emotional manipulation and social engineering techniques to extort money from victims by calling them and pretending to hold their loved ones hostage. Although not inherently a computer-based crime, these criminals are performing extensive reconnaissance on their victims by scouring social media accounts looking for any personal information they can use to help craft convincing calls to their targets. Using call spoofing technology, these criminals can make their calls appear to be originating from any phone number they choose, including that of a loved one. If privacy settings are not properly configured on social media, victims of these schemes can find themselves easily convinced by a con artist who knows where they live, where they work, who their friends and relatives are, what cars they drive, and what they look like. In addition, posted videos of a victim’s loved one can potentially provide voice clips for the extortionist to play during the call, making an even more convincing case to the victim.

The bottom line is, although the motives behind criminal actions haven’t changed much over the years, the way in which crimes are conducted certainly has, due in large part to rapid advancements in technology. Each device we use and website we visit needs to be seen as a potential attack vector for the innumerable threats that exist today. We are interconnected now more than ever and, even though we all may be no more than a click away from each other, we need to remember that there are those looking for ways to exploit our weaknesses and vulnerabilities.

Take the necessary steps to keep yourself and your loved ones safe online. Follow cybersecurity best practices when using your computer or mobile device. Stop and think before posting any sensitive information online about yourself or your family and double-check your privacy settings. Avoid adding people you don’t personally know and trust to your social networks. These simple techniques can go a long way in protecting you, your data, and your money.

To learn how to protect yourself or your organization from ransomware, visit the NJCCIC’s new Ransomware Threat Profile.

For more on other types of extortion trends, read our threat analysis “Extortion: Profit-Motivated Cyber Tactics On the Rise.”

For more information about DDoS attacks and mitigation strategies, we recommend the Center for Internet Security’s comprehensive Guide for DDoS Attacks.

To receive our guide on how to secure your social media accounts and personal information from prying eyes, request a copy via email at NJCCIC@cyber.nj.gov.