February 1, 2021

Ransomware is a Mere Symptom, Extortion-Based Crime is the Disease

Has the rise of ransomware distracted us away from the true issue at hand? Encrypted files, corrupted applications, deleted backups, and posting stolen data online – all debilitating symptoms that are accurately attributed to ransomware. However, while ransomware has arguably become the greatest current security threat to organizations, the disease is not ransomware, it is extortion-based crimes – the ability for threat actors to turn unauthorized access to an organization’s computer network into financial gain. With the shift to digital currencies, the monetization from attacks has only become easier for threat actors.

We have watched the rapid evolution of ransomware shift from single-system encryption events with extortion amounts of less than $15,000 to enterprise-level encryption events with demands routinely in the tens of millions of dollars. The financial incentive for criminals is clear and present and ransomware is currently the easiest way to monetize these attacks. However, while ransomware is currently the sharpest tool the attackers have, it is by no means the only one.

Yes, we need to solve the issue of encrypting systems. Yes, we need to solve organizations not having a robust backup solution to address the threats of ransomware. Yes, we need to solve the issue of organizations leaving RDP open to the Internet which is the leading cause of ransomware infections. But these items only address a specific technical tool or tactic that the threat actors leverage. These tactics must be addressed, and we are witnessing the security, software, and hardware communities band together to help eradicate these threats. As we narrow down on the ransomware symptom though, we must not lose sight of the “man behind the curtain” – extortion-focused attacks.

Before we highlight future trends of extortion-based crime, let’s look to the theft of payment card data (the disease), which provides a historical viewpoint on how the tactics emerge over time.

A Brief History of the Evolution of Credit Card Theft

The evolution of attacks that targeted the theft of credit card data serves as an interesting parallel to what may come of extortion-based attacks. As a quick recap, credit card theft started with the physical skimming of credit card machines so that attackers could collect the information necessary to create counterfeit credit cards. These attacks are still in use today, typically targeting ATMs. From there, attackers evolved to hacking into the computer networks of businesses that accepted credit data and would “skim” digital credit card transactions through the terminals themselves or through a central server that consolidated transaction details from terminals before it was sent to the payment processor. With the widespread adoption of EMV “chip and pin” technology and end-to-end encryption, the barrier to entry for threat actors became harder and the payouts farther and fewer between. And so, the attacks shifted to ecommerce, where attackers could find easier targets. This evolution over time highlights the key issue that the disease was stealing credit card data for profit, the symptoms were the “how” it was accomplished.

Predicting the Future of Extortion-Based Crimes

Ransomware is currently the primary weapon threat actors leverage in extortion-based attacks. However, as ransomware gains more attention and the ability to encrypt files could become more difficult, threat actors will adopt additional escalation techniques to continue profiting. MOXFIVE has observed threat actors begin experimenting in a variety of different techniques and we expect them to increase in frequency over time as the focus on ransomware could raise the barrier of entry for threat actors. The following is a sampling of what has been spotted in the wild and what potentially is to come.

Data Exfiltration

Over the last year, ransomware threat actors began stealing data from organizations just prior to encrypting the environment. When the ransom is demanded, the threat actor reveals that they stole data from the environment and will release it publicly if the ransom is not paid. A “double extortion” to apply more pressure to victims to pay the ransom. MOXFIVE is seeing an alarming increase in the number of instances where organizations have backups to restore their IT operations, yet still pay the ransom to “buy silence” from the threat actor.

In these instances, MOXFIVE recommends a more active defense that applies dark web and open web monitoring with quick action to take down data posted to any open web data repositories. While not 100% effective, neither is paying a ransom to buy a criminal’s silence. A more active defense allows a third option besides “pay or do not pay” that can help tip the odds back in favor of the ransomware victim.

Windows User Accounts Lockouts

Threat actors have also started to change credentials for Windows administrative user accounts, or in some instances, all Windows user accounts, to effectively lock users out of their systems. This small step can significantly hinder recovery efforts as the IT teams are essentially locked out of their environment to even begin recovery. The threat actors then promise to give the new passwords with the decryption utility if the ransom is paid. Take the ransomware component out and you have a viable extortion-based attack that can lock people out of their systems unless credentials are provided.

MOXFIVE recommends an effective Privileged Access Management solution to store and protect privileged account credentials.

Distributed Denial of Service (DDOS) Attacks

At the network level, MOXFIVE has observed threat actors conduct DDOS attacks against victims’ environments in tandem with an encryption event. Some speculate that it is an attempt to distract away from the ransomware encrypting files in the environment but the DDOS attacks can continue to take down not only internal systems, but external facing applications as well, which can inflict additional financial hardship on organizations – consider an online retailer during a busy shopping season.

The threat of a DDOS can be increased to where threat actors target critical networking gear and block control of network traffic into and out of the network, which would cripple an environment. While MOXFIVE has not observed this yet, we have seen threat actors gain access to firewalls and have the means and the capabilities to execute such an attack.

MOXFIVE recommends organizations that rely on a significant Internet presence to contract with DDOS mitigation firms in a proactive manner to help mitigate the threat of DDOS attacks. Furthermore, organizations should implement centralized management of network gear to easily manage, and secure, network devices in their environment.

Destructive Attacks

One of the more concerning future potentials of extortion-based crimes is one that nation states have been dealing with for quite some time – the threat of physical damage to computer systems and connected devices. Malware authors are burrowing deeper into systems, gaining access to firmware and hardware level flaws. This can take an attack to the point where they could “brick” a system, rendering it impossible or extremely difficult to boot. If desperate, or lucrative enough, threat actors could shift to infecting a network with malware capable of that level of destruction and threaten to bring the environment completely and permanently down if a ransom is not paid in a certain amount of time. This would leave an organization scrambling to investigate and remediate as quickly as possible to mitigate damage. Of course, this requires attackers to thread a needle of not destroying an environment until a victim can pay – yes, this brings flashbacks to NotPetya ransomware that crippled networks in 2017. While difficult, it is not impossible.

Defending against these types of attacks requires a layered security approach that starts with the basics and matures into a robust security program. MOXFIVE recommends a prioritized security roadmap that pinpoints specific risk areas in an organization and targets pinpoint solutions that maximize the return on value of security investments.

The Real Issue - Extortion-Based Attacks

The shift to digital currencies has made it easier for threat actors to monetize extortion-based attacks at great profit. An endless supply of highly skilled adversaries, a precedent of successfully extorting victims for higher payouts, and less friction collecting (and spending) funds has opened the flood gates for the frequency and severity of these attacks. While ransomware has the spotlight now, we must not forget that it is a symptom of the extortion-based crime disease. To truly combat extortion-based crimes, starting with ransomware, MOXFIVE recommends the following focus areas:

  1. Create a robust defense strategy that protects environments against current and future attack trends. Start with the basics and build from there.
  2. Address the immediate threat of ransomware by protecting endpoints. EDR solutions provide a great level of endpoint security to help prevent the encryption of systems.
  3. Impair the ability of threat actors to monetize attacks. This starts at the organizational level to reduce the likelihood of having to pay ransoms and extends to cryptocurrency exchanges and government-level initiatives.

We all must continue to address the symptoms of extortion-based attacks, like ransomware, but must ensure we do not lose sight of the true disease. The solution will not be quick, complete, or without pain. But together as an industry we can reverse the concerning trend in the rise of extortion-based attacks.

Jason Rebholz

Jason was born and raised in incident response, having helped over a thousand companies who were victims of cyber-attacks. He spent over a decade conducting investigations into APT threat actors, financial / organized crime, and hacktivists that targeted the SMB space and Fortune 100 companies. As a founding member of MOXFIVE, Jason now supports organizations in mitigating the impact of cyber-attacks through building a more secure and resilient infrastructure and assisting ransomware victims in securely restoring business operations following ransomware attacks.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 


Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More