What do you do when someone you don’t know online threatens to harm your family or destroy your business? They are serious threats; how often does someone get threats like these in the real world? Not often.

Today, everything has changed. The internet has opened the flood gates for cyber extortion. Individuals are attacked en masse in their homes and their organisations. Businesses are increasingly targeted. It has never been so easy to extort someone. The financial and emotional costs are high for victims.

Individuals and organisations are often not prepared well enough for cyber extortion attacks. They fall victim and face a tough choice – do they pay the ransom or not?

This chapter will prepare you to deal with cyber extortion attacks and what to do when one happens.

ANATOMY OF CYBER EXTORTION

Extortion is the threat of force, violence or intimidation to gain something from an individual or an entity (for example business, government). It can include harming a victim’s reputation.

For example, the lawyer Michael Avenatti was convicted of extortion in 2021. He threatened the global shoe company Nike: unless they paid him $25 million, he would hold a news conference and ruin their reputation, which would sink their stock price (Fieldstadt et al., 2020).

Another example is organised crime-run protection racketeering. This is when criminals tell local businesses they must pay them a monthly fee for protection – but in reality, no security is needed, and the business owners are extorted. They are threatened that if they do not pay, the criminals will do something terrible like harm their families or burn their businesses down.

Technology advances have changed how criminals can use extortion; the internet has become an enabler. There are critical differences between physical and cyber extortion. The main one is the type of assets targeted. With cyber extortion, a victims’ secrets, data and reputations are all vulnerable and exploitable by cybercriminals. No physical threat is carried out (usually). No criminal enforcers will show up at your home or business to carry out the extortion threat or collect money. Cybercriminals can carry out their threats digitally, far away from where their victims are located.

Unlike cyber fraud, cybercriminals do not need to groom their victims or mislead them to get money. They threaten victims instead. The message is clear: pay the money or an online threat will be carried out. The threats are severe enough that livelihoods and reputations can be ruined. Then there is the emotional distress victims go through; victims report that cyber extortion is a traumatic and harrowing experience.

With the shift to cyber extortion, attempts also have grown exponentially. Today, with the help of technology, cybercriminals can extort thousands of people and organisations simultaneously, anywhere in the world.

LESSONS FROM HISTORY

Extortion has always been part of a criminal’s toolbox. It’s not difficult for criminals to threaten someone. Historically, a common threat against victims was to harm them in some way if they didn’t do what the criminal wanted.

Extortion is a serious crime. The Romans understood this over 2,000 years ago and passed one of the first recorded extortion laws in 149 BC. The law was called Lex Calpurnia; it was established to prosecute extortion crimes committed by the magistrates and governors (Ferguson, 1921).

One of the first recorded extortion cases was prosecuted in 71 BC (Linder, 2008). It was the trial of Gaius Verres, the Governor of Sicily. The legendary orator Cicero prosecuted Verres.

This is how he described him:

Not only a thief, but a wholesale robber; not only an adulterer, but a ravisher of chastity; not only a sacrilegious man, but an open enemy to sacred rites and religion; not only an assassin but a most barbarous murderer of both citizens and allies; so that I think him the only criminal in the memory of man so atrocious, that it would even be for his own good to be condemned.

(Yonge, 1903)

Verres was a scoundrel. One of the primary charges against him was extortion. Farming was the lifeblood of Sicily during this time, and the province was the breadbasket for the rest of the Roman Empire. Within three years of becoming governor, Verres single-handedly destroyed that. By the time he was brought to trial, the province was barely able to feed the people of Sicily.

When Verres first arrived in Sicily, he issued a proclamation conferring his chief tax collector the power to set tithes at whatever rate he deemed appropriate. Verres had him increase the taxes by at least three times the previous rate. Farmers were given a choice: pay the increased taxes or face a four-fold penalty instead. In some cases, the taxes were higher than the revenue on which they were levied. In these cases, the farmers would flee or commit suicide. Many farmers just couldn’t make enough money to live on, so they abandoned their farms en masse. There was a 50–75 per cent decline in the number of active farms.

However, there is evidence that Verres’ first extortion attempts were not getting him the results he wanted. The farmers were pushing back. In Verres’ first special edict, he ordered that all farmers be prohibited from removing grain from the threshing floor until the tax collector had been paid. The farmer Septicus (along with a few other farmers), decided to leave their crops on the floor and let them be destroyed by the rain rather than pay the excessively high taxes. Once Verres got wind of this, he issued a second proclamation requiring farmers to bring all grain to the coast by 1 August. Farmers then had to face the agonising choice of complying or facing the consequences.

The increase in taxes went direct to Verres. He wasn’t extorting one person; he was extorting thousands of people at the same time.

Imagine what the farmers must have been going through. Overnight, with no warning, they were presented with what must have been seen as an impossible situation. Give in to the extortionist’s (Verres) demands and pay the exorbitant taxes, or face life-changing consequences. Most of them probably had everything they owned invested in their farms.

In the end, the farmers fought back by going to Rome to get influential political figures like Cicero to take up their case.

Then there are more recent examples of extortion. Organised crime has been notorious for using extortion to extract money from people since it first began. For instance, in the early days of organised crime in many urban areas in the eastern United States, in the early 1900s, wealthy individuals would receive an anonymous note demanding a sum of money to be sent to the writer of the message. The note would tell the individual that if they didn’t pay, they could expect some harm to a member of their family, or their businesses would be bombed (Law Library, no date).

If you look at the underlying methodologies for extortion from Roman times to today, the essential playbook is the same: threaten someone with unsavoury actions if they do not comply with demands. As discussed in the next section, only the attack methods extortionists use have changed.

CYBER EXTORTION ATTACK METHODS

It’s never pleasant getting targeted for cyber extortion attacks. While there are many different types of attacks, the majority of them can be summarised as the following.

Email ransom campaigns

In these attacks, cybercriminals send emails to victims threatening them. There is a wide range of different types of threatening messages cybercriminals use. Sometimes these can be life-threatening, such as hiring a hitman or planting a bomb to kill you and your family (Gatlan, 2020). In 2020, the FBI reported that people were getting emails that threatened their family with COVID-19 infection unless money was transferred to the sender (Gatlan, 2020). Here is an actual excerpt of what was written:

You have 24 hours to make the payment. I have a unique pixel within this email message, and right now, I know that you have read this email.

If I do not get the payment:

I will infect every member of your family with the CoronaVirus. No matter how smart you are, believe me, if I want to affect, I can. I will also go ahead and reveal your secrets. I will completely ruin your life.

These types of email are a con. No-one is going to carry out the threat and hurt your family.

Online smear campaigns

An individual or business receives a threatening message that says they will be targeted with an online smear campaign unless they pay a ransom. A smear campaign is an intentional effort to damage someone’s reputation. Take the case of CheapAir.com. In 2018, they received a message threatening to post thousands of negative reviews on their social media sites and destroy their search engine optimisation (SEO) ranking on Google (CheapAir, 2018). The cybercriminals demanded a ransom of $10,000 in Bitcoin. CheapAir.com did not pay, and the cybercriminals carried out their threatened online smear campaign – most of which included posting numerous negative tweets on Twitter (Emem, 2018).

Or consider this case: in early 2021, Indie author Beth Black was getting ready to release a new book. She posted about her upcoming book on Goodreads (owned by Amazon), the world’s largest and most influential digital book database. A few months after posting, she received a cyber extortion demand email. It threatened that her new book would be inundated with negative reviews unless she paid a ransom. Authors are under pressure to gather positive reviews to help their book succeed. The cybercriminals understood this and used it to their advantage. Black reported the email to Goodreads. A couple of hours later, numerous one-star negative reviews began appearing. The term for this is ‘review bombing’ (Black, 2021).

Threatening calls or messages

Sometimes an automated voice system calls; in other cases, it’s an actual person that calls. In both instances, a threat is made.

A common one in the UK at the time of writing is to get a call saying there is a tax fraud case registered in your name. This is an automated message imploring you to press ‘1’ to connect to an official staff member at the HMRC. The message says that if you do not click, then a warrant will be issued for your arrest (Martin, 2019).

In 2021, an illegal call centre in Delhi, India, was shut down. The cybercriminals called UK citizens pretending to be from the department of justice or a customs official. They threatened victims that a criminal case had been registered against them for unpaid taxes. Unless they paid immediately, then they would face getting arrested (Srivastava, 2021).

Distributed denial-of-service (DDoS) extortion

Distributed denial-of-service (DDoS) attacks have been around since the early days of the internet. They initially began as denial-of-service (DoS) attacks, in which the attacker would use one or a small number of computers to overload their target computer. Once the computer was overloaded, it could not function (if a website was running on the targeted computer, it would stop working).

DDoS is the next step in the evolution of DoS attacks. With DDoS attacks, the attacker uses a significant number (thousands) of computers to launch their attacks and overload their target. The target can be a website, server or network (NCSC, no date). Anything connected to the internet can be a target.

Cybercriminals are using DDoS attacks to extort businesses and individuals, though businesses are primarily the target of these attacks. They threaten their victims with a DDoS attack unless a ransom is paid. As of August 2020, ransoms ranged from $50,000 to $300,000 depending on which cybercriminal group was attacking (Eisler, 2021). Bitcoin is the payment method of choice.

Usually, the extortion attempt starts with sending the victim a threatening email with a deadline for paying the ransom. Sometimes, the email warns that if the attack is disclosed publicly, the attack will begin immediately. This is the threat from the cybercriminal group Armada Collective:

If you report this to media and try to get some free publicity by using our name, instead of paying, the attack will start permanently and will last for a long time – Armada Collective

Another group calling themselves Fancy Bear focused on reputation damage. Here is their threat:

… your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. … We will completely destroy your reputation and make sure your services will remain offline until you pay – Fancy Bear.

(Arghire, 2020)

In other instances, the cybercriminal group will launch a short attack to prove they are serious and have the capability.

Ransomware

The most effective cyber extortion attack, by far, is ransomware, a type of malware. An excellent way to think about this is to compare ransomware with a viral illness. A virus can use any number of routes to infect the human body and, once inside, it can cause havoc. Likewise, once ransomware gains access to a computer, it too will cause havoc, most likely by encrypting it.

When a computer has been infected with ransomware, typically all of the files on that computer become encrypted. This causes the files to become visibly scrambled, and anyone looking at them will be unable to read them. It’s similar to the green scrolling code in the Matrix movies and will make no sense to anyone looking at it.

The only way for this to be reversed is to gain access to the decryption key, which will decrypt the encrypted files (in other words, it will reverse the encryption). Think of it like this: you come home after work one day, and you find that your house key doesn’t work and that to gain access to your house, you need a new key. That’s what the decryption key is, except that, in this case, your entire home has been put into an indestructible sealed box with absolutely no way of breaking in without the key. Everything on your computer is lost without that decryption key.

Next are some of the more common attack methods cybercriminals use to get ransomware on computers.

Phishing

With ransomware phishing messages, cybercriminals don’t want to steal your information; instead, they want to take your data hostage. Trick messages (through email, Facebook Messenger, WhatsApp, SMS and so on) are used to entice users into downloading malicious files or clicking on malicious links.

The messages can appear legitimate, and sometimes the cybercriminals mimic their target’s friends to make it appear it has come from them. Once the user clicks on the link or downloads the file, their device is then infected.

Drive-by

This goes hand in hand with phishing. A drive-by attack is when someone visits a compromised website, often directed via a link in a phishing message, and through no action of their own, the website installs malicious software on their computers (Kaspersky, no date).

Pop-ups

An older yet still common method of installing ransomware is using online ‘pop-ups’ disguised as legitimate messages. They can even appear as official Microsoft or Adobe patch updates, often implying that a patch must be downloaded immediately or the computer will be compromised. Of course, the unsuspecting victim doesn’t want to get hacked, so promptly downloads the dodgy patch. And thus, gets infected.

USB and removable media

USB and other removable media devices can be sent in the mail to victims or placed in easy to find locations like parking lots, where it is hoped someone will pick up the device and insert it into their computer. There may be some misleading statements on the device, such as saying that it’s a promotion for Netflix or that it’s confidential. Once the victim opens the device on their computer, ransomware will automatically infect their computer.

Known exploits

Ransomware will often bypass user interaction and infect computers automatically by exploiting common vulnerabilities. Every software company discovers vulnerabilities at some point in their products; it’s commonplace. When they do, they race to find a fix for the vulnerability. Then they usually release a security patch to all of their customers so they cannot become victims if the vulnerability is exploited. All customers would then be protected. That is what should happen, but unfortunately it doesn’t in many cases. Computers and phones are not updated and, as a result, are at increased risk of a ransomware attack.

While most ransomware attacks target computers, increasingly, they are also attacking mobile devices. In 2020, ransomware named Lucy was detected targeting Android devices. It spreads through social media links and instant messaging apps (Mana et al., 2020).

From the cybercriminal’s perspective, ransomware is one of the easiest methods to get money. Once the victim’s computer has been forcibly encrypted, the cybercriminal needs to do nothing. They simply wait for the victims to contact them. The responsibility is on the victim to complete the transaction.

As ransomware continues to bring down computers, companies and individuals are taking steps to minimise the impact of a ransomware attack. No one wants to pay a ransom to get their computers working again. Maintaining backups is always a good idea. This way, victims can reinstall their operating system and restore their data from their backups, thereby not having to pay anyone. As such, improved backup strategies often reduce the need to pay the ransom.

Cybercriminals are getting wise to this defence and changing strategies. One such method is referred to as ‘double extortion’. Before encrypting their targets’ computers, they will steal their victim’s data. This is essentially a data breach. Even if the victim has good backups, they are now faced with extortion demands that their confidential data will be publicly released if they do not pay the ransom.

Cybercriminals are setting up public shaming boards to increase pressure on companies to pay the ransom. They know the boards will cause reputational damage to the company. They sometimes release a portion of the stolen data on the boards for the public to see, promising to give back the data and permanently delete them if they are paid.

Another worrying trend is auction sites on the dark web. If the cybercriminals still do not get their ransom after all of their attacks, they will likely auction the company’s data to the highest bidder. A competitor or someone with malicious intent could then buy the data.

The security company Coveware reported that as of Q4 2020, 70 per cent of ransomware attacks involved a threat to leak data (up 43 per cent from Q3 2020). This trend is worrying for businesses and individuals alike. In the same report, Coveware said they see signs that cybercriminals are not deleting or purging data after payment (Coveware, 2021).

Another change in strategy for cybercriminals has been to launch targeted attacks against high profile businesses. Think of it as big game hunting. They spend more time researching their targets and planning their attacks (Newman, 2021). Ransom demands have soared as a result.

For example, in May 2021, a ransomware attack on Colonial Pipeline caused them to shut down operations. It crippled fuel deliveries up and down the East Coast in the United States (Kovacs, 2021). Colonial Pipeline paid approximately $5 million to cybercriminals to recover their systems.

Travelex, the London-based foreign currency exchange, had its operation stopped by a ransomware attack in April 2020. They paid £2.3 million. Nine months later, they fell into administration and closed (Asokan, 2020).

Early cybercriminals who created ransomware variants had a problem. Even though Bitcoin allowed them to receive anonymous funds, cybercriminals found that many victims were not paying.

Initially, victims would get their files encrypted and then were told they had a set amount of time to pay the ransom (usually 48 hours), or their files would be lost forever. The percentage of victims paying to remove the ransomware was surprisingly low. The attackers had created a sense of urgency, but they failed to understand the psychology of what the victim was going through.

Early ransomware messages confused the victims (Gutman, 2020). They were often unable to pay within the given time, wasted time seeking help or didn’t understand the payment instructions. Most people do not have Bitcoin and have never purchased anything with Bitcoin. Further, it takes time to set up a Bitcoin wallet account (often several days).

Victims could often not comply with demands, so cybercriminals proceeded to carry out their threats of locking files forever. It was not a good strategy for extorting money from people.

Cybercriminals had to adopt new psychological methods to improve their conversion rates. They began using persuasion techniques.

Here are several examples of how they ‘improved’ their methods:

• Incentivise the victim to pay faster with messages like ‘The faster you get in contact – the lower price you can expect.’
• Empathise with the victim, trying to come across as reasonable and concerned. They use language like ‘don’t worry’ and ‘you can be up and running in no time’ in a friendly manner.
• Instil authority. Cybercriminals use official logos like those of the FBI or Microsoft and use language that sounds official. This is to instil the request with the notion of authority and credibility.
• Include warnings that the operating system (usually Windows) has been blocked or banned due to detecting illegal or copyrighted software or the detection of other spurious activities (such as visiting websites with adult content and pornographic images).
• Elicit compassion. One particularly insidious example is the CryptoMix ransomware, which promises to send the ransom money to charities such as the ‘International Children’s Charity Organisation’. Of course, no money goes to any children (McAfee, 2019).

These tactics induce a range of emotions to persuade victims to pay, using aspects of fear, urgency, authority and, in some cases, likability.

Cybercriminals now often give instructions on how victims can obtain Bitcoin and include links to websites where it can be purchased. In some cases, they even provide victims with tutorial videos to show them how to buy Bitcoin.

RANSOMWARE AS A SERVICE AND DDOS AS A SERVICE

Today, financial returns have become so lucrative that ransomware and DDoS attacks have evolved into large-scale industries. Many cybercriminal gangs are involved as they seek to expand their operations. One way they do so is via the dark web by selling ransomware as a service (RaaS) and DDoS as a service. Anyone can sign up for these services and start their own attacks with little technical knowledge.

Ransomware as a service

When an aspiring cybercriminal signs up for RaaS, they will get access to an impressive professional-looking interface that will often include distribution tips and metrics that can be used to track things like ransomware infection and payment rates. Multiple languages may be supported. Customers are also given a RaaS kit that they can use to distribute ransomware to other computers. All they need to do is agree to share the profits with the creators of the RaaS.

RaaS works on a revenue-sharing model. It’s in the cybercriminals’ interest to make it work as efficiently as possible.

The most time-consuming part of a ransomware attack is finding the computers to infect. RaaS removes this challenge for the creators of new ransomware strains. They no longer have to spend countless hours scanning the internet or locating vulnerable victims. By making it easy for anyone to launch ransomware attacks, cybercriminals have expanded the spectrum of potential victims. To sum it up, they are outsourcing their attacks. RaaS creators have even begun building service centres to deal with victims and their payments.

Like any business, RaaS needs to find customers. Cybercriminals advertise their RaaS solution like any other business would. Except, for RaaS, the advertising is done on the dark web. RaaS is attractive for cybercriminals due to its scalable income potential. The more cybercriminals that sign up for it, the greater number of victims of the ransomware strain. This means more money for the ransomware creators.

Consider this case: the ransomware GandCrab was distributed by RaaS and first discovered in January 2018 (Tiwari, 2020). Over its 18-month lifespan, it is estimated that over 1.5 million computers were infected. The makers of GandCrab perfected the RaaS business model. They streamlined their ‘affiliate’ program, allowing fellow cybercriminals to join by agreeing to share 30–40 per cent of their ransomware revenue. They got a full-featured web panel and technical support in return.

Gandcrab’s operations ceased in mid-2019 when the FBI obtained the master decryption keys for it and released them to the public (Abrams, 2019). Anyone infected could then decrypt their information and avoid paying GandCrab. Although they’d been forced to cease their operations, the cybercriminals behind GandCrab boasted on a Russian forum that they had taken a total of $2 billion – with $150 million going to themselves.

In addition to revenue sharing, a RaaS operator will charge an up-front fee to begin using their service. This can range from under $100 for some RaaS systems that cater to individuals, to the most expensive RaaS, which was for $84,000, charged by the Maze ransomware creators (Ritesh, 2021). These types of RaaS target businesses where the ransomware amounts can be in the millions.

Like any good cybercriminal, RaaS makers often have no problem ripping off other cybercriminals. In many instances, once they have paid the up-front fee, the buyers find themselves without a workable RaaS. Since the price is usually paid in Bitcoin and is an illegal transaction anyway, there is no recourse for the victim to get their money back. The dark web is full of dubious characters. However, there is little sympathy for cybercriminals getting scammed by other cybercriminals for a fake RaaS.

Europol, the EU’s law enforcement agency, calls ransomware the ‘most widespread and financially damaging form of cyberattack’ (Popper, 2020). RaaS turbocharges ransomware. The global cybersecurity company, Group-IB DFIR, found that 64 per cent of all ransomware attacks they analysed in 2020 came from the RaaS model (Group-IB, 2021).

DDoS as a service

DDoS as a service works differently. With DDoS attacks, it is about how long the attacks last. The longer the attack is, the longer the target services will be impacted. The pricing averages $10 an hour to $60 for 24 hours (Gomez, 2021). The cost to launch a DDoS attack is minimal for cybercriminals.

How big a problem is this?

Ransomware attacks are growing in size and frequency, threatening businesses and individuals worldwide. Why? Because that is where the money is. While large organisations that pay significant ransomware amounts grab the big news headlines, it’s a bigger problem for small and medium-sized businesses. They continue to bear the brunt of ransomware attacks. According to Coveware, businesses with less than 1,000 employees had over 75 per cent of the attacks in 2020. Typically, smaller firms do not have large companies’ security budgets, which leaves them at greater risk of attacks (Coveware, 2021).

Individuals have different challenges; their home networks likely have many devices, often with outdated networking equipment or poor passwords. The trend towards working at home only compounds the problem. There’s also the fact that laptops are often passed around between family members – children often lack an understanding of online risks. They can be more vulnerable to attacks, such as inadvertently downloading malware via a phishing lure.

Cybersecurity is only as good as the person with the poorest cybersecurity hygiene. For businesses, the weak link can be their supply chain or a careless or unaware staff member.

The cybersecurity firm Emsisoft estimated the global ransomware demand cost $25 billion for all countries in 2020 (Emsisoft Malware Lab, 2020). This is an astonishing amount of money.

It can feel as though ransomware creators have free rein to terrorise victims. However, law enforcement is fighting back. Initiatives like the website ‘No More Ransom’ have been launched. It was set up by the National High Tech Crime Unit of the Netherlands, Europol’s European Cybercrime Centre and cybersecurity firms Kaspersky and McAfee to help victims get their encrypted data back without paying the cybercriminals.

According to Europol, the ‘No More Ransom’ project, as of July 2021, has helped over six million ransomware victims recover their files for free, saving them an estimated €1 billion by not paying ransoms (Europol, 2021).

HOW ARE PEOPLE IMPACTED?

Cyber extortion attacks use the same psychological methods as cyber fraud: get the victim in an emotional state then employ persuasion techniques to get what they want. The difference with cyber extortion is that getting the victim into an emotional state is often immediate once the attack starts. If someone threatens to cause your loved ones physical harm, it would cause anyone to be in a heightened emotional state.

Some victims want to pay up as quickly as possible, to make the problem disappear, instead of stepping back and giving themselves time to get out of their emotional state and thinking through the situation. Often the best response to cyber extortion attacks is to not respond or engage with the cybercriminals.

With ransomware attacks, it’s a different story. The cyber extortion attack has already happened. It can be traumatic when your life’s work (personal files) and memories (family photos or videos) are on the computer infected. People can experience a genuine sense of fear. It’s not only the threat of losing your data forever, but also feeling violated that someone has possibly downloaded all your information and could be looking at it.

Victims of ransomware usually experience the five stages of grief: denial – anger – bargaining – depression – acceptance (Grindle, 2017). When you first notice something isn’t right, this is when the five stages begin.

1. Denial: it isn’t that bad, right? It will not take that long to get back up and running, right?
2. Anger: why me? How much will this cost? Why was I targeted?
3. Bargaining: do I pay the ransom?
4. Depression: I can’t believe this is happening. I can’t believe I screwed up so bad. It’s my fault.
5. Acceptance: what can I do to ensure this never happens again?

WHAT THE FUTURE HOLDS

Of all the future potential cyber extortion threats, perhaps the greatest of them will use the Internet of Things (IoT). In a nutshell, IoT is the concept of connecting any device to the internet and other connected devices. It is estimated that there will be at least 38.6 billion IoT devices in use by 2025 (Vailshery, 2021). There will be an incredible number of objects coming in all shapes and sizes. Examples of IoT devices include smart fridges (your fridge will know when you are running low on milk and automatically submit an order to your local online grocer), self-driving cars (which will have sensors detecting all objects in the car’s path), health wearable fitness devices (measuring heart rate and the number of steps taken). Every device connected to the internet means another potential vulnerability for cybercriminals to exploit for cyber extortion.

Here is a small sampling of potential ways IoT can be used for cyber extortion:

• Smart locks that lock and unlock all doors with a mobile device or web interface: cybercriminals may attempt to change the password for these and lock residents out of their house. This is worse for businesses; imagine the cost if numerous doors were locked in warehouses or offices, not allowing companies to run.
• Smart thermostats that control a home’s temperature: cybercriminals may raise the temperature to extreme heat while homeowners are away and pets are locked in the house. The homeowner then gets a threatening message that their pets could die unless they pay the ransom.
• Smart toys that provide remote video and audio access for parents: cybercriminals could record intimate moments at home and threaten to release them online.
• Smart toilets that clean themselves and notify users when supplies are low: water could be turned on and left to overflow when homeowners are out of town. Homeowners could get a threatening message saying their house will be flooded unless a ransom is paid.

Worse still is if IoT devices are used in combination for attacks. Consider cybercriminals taking control of a home’s smart locks, then locking the doors and raising smart thermostats to alarmingly high temperatures – then demanding a ransom from homeowners to stop it (Chang, 2019).

Imagine in the future you are taking a ride in a self-driving car or maybe driving a car with the latest and greatest AI, IoT-enhanced features. You then hear the car’s voice system come on, saying the following message, ‘Transfer X amount of money now or the car will speed up and drive over a cliff.’ You can’t stop the car or open the doors. The car starts to speed up. What do you do?

The FBI is taking the threat seriously. They posted a public service announcement warning that modern vehicles that now come with an array of wireless IOT devices could be vulnerable to attackers (FBI, 2016).

Security researchers have already demonstrated they can remotely seize control of vehicles by successfully taking remote control of a Jeep Cherokee’s steering and braking system (Smith, 2016).

How bad is the IoT security problem? Here are some of the common issues:

• The device default password is never changed. In many cases, it can’t be changed.
• No username or password is required to access the device.
• No encryption or poor encryption on the device, making it easier to hack.

What’s disturbing about IoT attacks is that often, to discover a vulnerability on an IoT device, all a cybercriminal needs to do is go to the shodan.io website (https://www.shodan.io). Shodan is a search engine, but it searches for interconnected devices instead of looking for websites like Google. These range from routers and servers to IoT devices. If it is connected to the internet, Shodan will find it.

When Shodan finds a device, it extracts as much information as possible and puts it into its database. Anyone can access this database. If you hunt for a particular piece of hardware – a new voice-controlled thermostat, for instance – it will provide you with a list of them anywhere in the world with open ports. If you type in the IP address of your firm or house, Shodan will show you whether you have any public devices online. As another example, you can search for specific webcam manufacturers with a known vulnerability. Shodan can list the webcams around the world with this vulnerability that are connected to the internet. Cybercriminals can then gain access to the webcams. The webcams are often in people’s homes and offices (Shubham, no date).

DEFENDING AGAINST CYBER EXTORTION

Cyber extortion attacks can rattle anyone. They are usually sudden attacks. To defend against them requires some preventive measures and an understanding of the techniques cybercriminals use. Here are some guidelines.

Preventative measures

There is little you can do unfortunately to prevent threatening messages. In some cases, cybercriminals already have your details (for example phone number, email) because of data breaches. The key to cyber extortion prevention is to assume you will be attacked.

Preventing online smear campaigns

• Consider an incident response plan to prepare how you will respond to an attack. Whether you are a small business or a large organisation, these attacks can negatively impact you.
• There is little you can do to prevent an online smear campaign. Nonetheless, the faster you respond, the sooner you can combat the campaign.

Preventing DDoS attacks

• Prepare a DDoS attack response plan. Think through how to maintain business operations if a DDoS attack is successful, how will you respond and what technical upgrades you should do.
• For a more comprehensive list of technical preventive measures, check the NCSC DDoS preventative recommendations: https://www.ncsc.gov.uk/files/Preparing%20for%20
  DoS%20(Denial%20of%20Service)%20attacks_V2.pdf

Preventing ransomware attacks

• Make backups of everything. Today, it’s easier than ever to automatically back up your computer to a secure storage solution in the cloud. For added security, back up your files to another physical storage device. However, make sure the physical security device is not kept connected to your computer. Ransomware could spread to it if it is. Have a recovery plan in place so a ransomware attack doesn’t destroy your data forever. Think about what you will need to do to get your computer(s) and services back to normal if disaster strikes.
• Consider buying cyber insurance; make sure it covers ransomware.
• Use dedicated anti-malware or anti-virus protection. These solutions will help to detect and prevent ransomware and stop the attack before the data is encrypted.
• Pick strong passwords and use multi-factor authentication as often as possible. And don’t reuse or share passwords, ever.
• Keep your computers up to date with the latest security patches. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe. When your operating system or applications release a new security patch, install it. And if the software offers the option of automatic updating, take it.
• Trust no one. Any account can be compromised, and malicious links can be sent from friends’ accounts on social media, colleagues or trusted business partners. Never open attachments in emails from someone you don’t know and hadn’t been expecting. Cybercriminals often distribute fake email messages that look like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients to click on a malicious link and releasing an infection on their system. Be extra cautious if the attachment asks to enable macros. Ransomware can use macros to spread faster.

Warning signs

The warning signs for cyber extortion are different from cyber fraud. It can sometimes be challenging to recognise a cyber fraud attack; for cyber extortion attacks, you know pretty quickly you have been attacked. Whether it is a disturbing email or your computer has become unworkable, and there is now a ransomware message displayed on your screen, it is clear someone is trying to extort you. There is no misunderstanding. No one is trying nicely to get your money; they are threatening you instead.

What to do if you are a victim

If you find yourself a victim of a cyber extortion attack, take a deep breath and give yourself some time to think through the situation. It’s important not to make any decision when in an emotional state. Here is some practical advice to follow:

• If you receive a threatening email, text, or message on social media, ignore them. Do not respond or communicate with the attacker.
• If you are a victim of an online smear campaign, the first thing to do is contact the online platform where the negative comments or ratings are appearing (for example Google, Tripadvisor) and report the problem. Most companies have policies and teams to combat fake ratings and reviews and can help.
• If it’s a DDoS attack, contact your internet service provider (ISP). They can assist in mitigating the attack.
• In the UK, report the attack to Action Fraud, www.actionfraud.police.uk
• In the US, report it to the FBI’s Internet Crime Complaint Center, www.ic3.gov and the Cybersecurity & Infrastructure Security Agency (CISA), www.cisa.gov

What to do if your computer is infected by ransomware

Whenever anyone gets hit with a ransomware attack, whatever plans they have get thrown out the window. The countdown is on to get your computer(s) back as soon as possible. Here are some steps to take if you are a ransomware victim:

• Step 1: disconnect your infected computer from your network. Simply put, go offline to prevent the spread of ransomware.
• Step 2: determine what type of ransomware is on your computer. https://id-ransomware.malwarehunterteam.com makes this easy. By uploading a file with the ransom note and payment information, they can identify which ransomware strain encrypted your computer. To do this, you will need to use another computer other than the infected computer (which will be useless after a ransomware attack).
• Step 3: take a photo of the ransomware note for evidence for the police or your insurance company.
• Step 4: check if there is a publicly released decryptor to reverse the encryption. No More Ransom (www.nomoreransom.org) has various decryption tools and guides for removing different types of ransomware. Bleepingcomputer.com is another good resource with removal guides for many types of ransomware.

If there is no decryptor tool available for your ransomware, then you are faced with the following options:

1. Find a third party to help unlock the files without paying the ransom.
2. Don’t pay and recover your data through backups, or lose your data.
3. Pay the ransom. This should always be the last option. Paying the ransom only encourages cybercriminals to continue.

A word of caution if you are considering paying the ransom. The US Treasury Department released a warning in October 2020 that anyone paying cybercriminals to decrypt their computers may violate US sanctions laws. Some sanctioned countries like North Korea and Iran have a history of creating ransomware. The money goes to these countries by paying the ransom, which violates the sanctions. In 2021, the cryptoanalysis company Chainalysis researched where ransomware payments were going. They found that over $50 million in Bitcoin has been sent to sanctioned countries by paying the ransom (Grauer and Updegrave, 2021).

To compound the problem, cyber insurance companies sometimes advise their clients to pay the ransom. This could put them at odds with potential new government guidelines. Also, due to a large number of ransomware claims in 2020, cyber insurance premiums have risen to record levels in 2021. Insurers are now toughening up their requirements for giving cyber insurance, in many cases not covering ransomware as part of their cyber insurance. They are asking tougher questions about a company’s cybersecurity practices (Rivero, 2021).

SUMMARY

Regardless of how cybercriminals conduct cyber extortion attacks, it will remain a persistent threat as long as cybercriminals find it lucrative. Judging by the amount of money they are making, they will not stop anytime soon. With technological advances and an ever-increasing number of connected devices, cybercriminals will have more opportunities to carry out cyber extortion attacks. Any device or means of communication is fair game for cybercriminals to target. Cybercriminals will continue to innovate in their attacks, constantly finding new ways to extort individuals and organisations.

The barriers to entry for cyber extortion have been reduced with services like RaaS and DDoS. Cybercriminals do not need a high level of technical skills to launch attacks like ransomware. They are often one step ahead of victims, surprising them with new attack methods. While the attack methods can be new, the underlying methodology isn’t. It is still old-fashioned extortion, just repackaged differently. Once you understand this, you can better prepare for their attacks – regardless of how they attack – as explained in this chapter.

REFERENCES

Abrams, Lawrence (2019) FBI releases master decryption keys for GandCrab ransomware. BleepingComputer. Available from https://www.bleepingcomputer.com/news/security/fbi-
releases-master-decryption-keys-for-gandcrab-ransomware/

Abrams, Lawrence (2020) Ransomware gangs add DDoS attacks to their extortion arsenal. BleepingComputer. Available from https://www.bleepingcomputer.com/news/security/ransomware-
gangs-add-ddos-attacks-to-their-extortion-arsenal/

Adler, Dan (2020) What do these hackers have on Trump, and why would Allen Grubman pay to suppress it? Vanity Fair. Available from https://www.vanityfair.com/style/2020/05/allen-
grubman-donald-trump-hack

Arghire, Ionut (2020) DDoS extorters claim to be Armada Collective. Security Week. Available from https://www.securityweek.com/ddos-extorters-claim-be-
armada-collective-fancy-bear

Asokan, Akshaya (2020) Travelex paid $2.3 million to ransomware gang: Report. Bank Info Security. Available from https://www.bankinfosecurity.com/travelex-paid-23-
million-to-ransomware-attackers-report-a-14094

Bennett, Drake (2020) The time I sabotaged my editor with ransomware from the dark web. Bloomberg.com. Available from https://www.bloomberg.com/features/2020-
dark-web-ransomware/

Black, Beth (2021) Distortion extortion. Available from https://www.bethscape.com/post/distortion-extortion

Canadian Centre for Cyber Security (2020) Protecting your organization against denial of service attacks. Available from https://cyber.gc.ca/en/guidance/protecting-your-
organization-against-denial-service-attacks-itsap80100

Carlson, Joe (2019) All of records erased, doctor’s office closes after ransomware attack. StarTribune. Available from https://m.startribune.com/all-of-records-erased-
doctor-s-office-closes-after-ransomware-
attack/508180992/

Chang, Ziv (2019) IoT device security: Locking out risks and threats to smart homes. TrendMicro. Available from https://documents.trendmicro.com/assets/white_papers/IoT-
Device-Security.pdf?_ga=2.242702912.331690514.
1627891991-1205160935.1627285251

CheapAir (2018) An open letter to our customers. Available from https://www.cheapair.com/blog/an-open-letter-
to-our-customers/

Coveware (2019) Quarterly report (2019) – Ransom amounts rise 90% in Q1 as Ryuk increases. Available from https://www.coveware.com/blog/2019/4/15/ransom-
amounts-rise-90-in-q1-as-ryuk-ransomware-increases

Coveware (2021) Ransomware payments fall as fewer companies pay data exfiltration extortion demands. Available from https://www.coveware.com/blog/ransomware-marketplace-
report-q4-2020

Darkowl (2020) REvil hackers continue to wrack up high-profile targets with ransomware attacks. Available from https://www.darkowl.com/blog-content/revil-
hackers-continue-to-wrack-up-high-profile-targets-
with-ransomware-attacks

Eisler, Vaughn (2021) DDoS extortion attacks are driving security risks in 2021. Equinix. Available from https://blog.equinix.com/blog/2021/04/28/ddos-extortion-
attacks-are-driving-security-risks-in-2021/

Emem, Mark (2018) Cyber thugs threaten CheapAir with smear campaign in Bitcoin extortion scheme. CCN. Available from https://www.ccn.com/cyber-thugs-threaten-cheapair-
with-smear-campaign-in-bitcoin-extortion-scheme/

Emsisoft Malware Lab (2020) Report: The cost of ransomware in 2020: A country-by-country analysis. Emsisoft.com. Available at: https://blog.emsisoft.com/en/35583/report-the-cost-of-
ransomware-in-2020-a-country-by-country-analysis/

Europol (2021) Unhacked: 121 tools against ransomware on a single website. Available from https://www.europol.europa.eu/newsroom/news/unhacked-121-
tools-against-ransomware-single-website

FBI (2016) Motor vehicles increasingly vulnerable to remote exploits. Available from https://www.ic3.gov/Media/Y2016/PSA160317

FBI (2020a) Cyber criminals claiming to be Fancy Bear conduct ransom Denial of Service attacks against financial institutions, other industries worldwide. Available from https://www.documentcloud.org/documents/7070798-
FLASH-MU-000132-DD.html

FBI (2020b) FBI warns public of ‘virtual kidnapping’ extortion call. Available from https://www.fbi.gov/contact-us/field-offices/
elpaso/news/press-releases/fbi-warns-public-of-
virtual-kidnapping-extortion-calls

Ferguson, William Scott (1921) ‘The Lex of Calpurnia of 149 B.C.’. The Journal of Roman Studies, 11. 86–100.

Fieldstadt, Elisha, Winter, Tom and Fitzpatrick, Sarah (2020) Michael Avenatti guilty on all counts in Nike extortion case. NBC News. Available from https://www.nbcnews.com/news/us-news/michael-avenatti-
guilty-all-counts-nike-extortion-case-n1137106

Gatlan, Sergui (2020) Extortion emails threaten to infect your family with coronavirus. BleepingComputer. Available from https://www.bleepingcomputer.com/news/security/
extortion-emails-threaten-to-infect-your-family-
with-coronavirus/

Gomez, Miguel (2021) Dark web price index 2020. Privacy Affairs. Available from https://www.privacyaffairs.com/dark-web-
price-index-2020/

Grauer, Kim and Updegrave, Henry (2021) The 2021 crypto crime report: Everything you need to know about ransomware, darknet markets, and more. Chainalysis.com. Available from https://go.chainalysis.com/2021-Crypto-
Crime-Report.html

Grindle, Donna (2017) 5 stages of grief during a cyber attack – EP 108. HIPAA. Available from https://helpmewithhipaa.com/5-stages-of-grief-during-
a-cyber-attack-ep-108/

Group-IB (2021) Group-IB: Ransomware empire prospers in pandemic-hit world. Attacks grow by 150%. Available from https://www.group-ib.com/media/ransomware-
empire-2021/

Gutman, Yotam (2020) Mind games: The psychology of ransom notes. SentinelOne.com. Available from https://www.sentinelone.com/blog/mind-games-the-
evolving-psychology-of-ransom-notes/

Kaspersky (no date) Drive-by attack. Available from https://encyclopedia.kaspersky.com/glossary/
drive-by-attack/

Kovacs, Eduard (2021) Colonial Pipeline paid $5 million to ransomware gang: Reports. Security Week. Available from https://www.securityweek.com/colonial-pipeline-paid-
5m-ransom-retrieve-files-stolen-hackers-reports

Law Library – American Law and Legal Information Crime and Criminal Law (no date) Organized crime. Available from https://law.jrank.org/pages/1624/Organized-Crime-
History.html

Linder, Douglas O. (2008) The trial of Gaius (or Caius) Verres: An account. umkc.edu. Available from http://law2.umkc.edu/faculty/projects/ftrials/verres/
verresaccount.html

Mana, Ohad, Hazum, Aviran, Melnykov, Bogdan and Kuperman, Liav (2020) Lucy’s back: Ransomware goes mobile. Checkpoint. Available from https://research.checkpoint.com/2020/lucys-
back-ransomware-goes-mobile/

Martin, George (2019) Listen to this HMRC scam voicemail. Which.co.uk. Available from https://conversation.which.co.uk/money/hmrc-
scam-voicemail-example-listen/

McAfee (2019) Children’s charity or CryptoMix? Details on this ransomware scam. Available from https://www.mcafee.com/blogs/consumer/consumer-
threat-reports/cryptomix-ransomware-scam/

NCSC (no date) Denial of service (DoS) guidance. Available from https://www.ncsc.gov.uk/collection/denial-service-
dos-guidance-collection

Newman, Lily Hay (2021) Apple’s ransomware mess is the future of online extortion. Wired. Available from https://www.wired.com/story/apple-ransomware-attack-
quanta-computer/

Olson, Parmy (2013) Cryptolocker thieves likely making ‘millions’ as Bitcoin breaks $1,000. Forbes.com. Available from https://www.forbes.com/sites/parmyolson/2013/11/27/
cryptolocker-thieves-likely-making-millions-
as-bitcoin-breaks-1000/?sh=64b922476753

Popper, Nathaniel (2020) Ransomware attacks grow, crippling cities and businesses. New York Times. Available from https://www.nytimes.com/2020/02/09/technology/
ransomware-attacks.html

Ritesh, Kumar (2021) Who’s buying and selling ransomware kits on the dark web. Cybercrime Magazine. Available from https://cybersecurityventures.com/whos-buying-and-
selling-ransomware-kits-on-the-dark-web/

Rivero, Nicolas (2021) Ransomware hacks are pushing cyber insurance premiums to record levels. Quartz. Available from https://qz.com/2036127/ransomware-hacks-are-driving-
up-premiums-for-cyber-insurance/

Shubham (no date) Find vulnerable webcams with Shodan. Spyboy. Available from https://spyboy.blog/2020/06/12/find-vulnerable-webcams-
with-shodan-metasploit-framework/

Smith, Ms (2016) They’re back! Car hackers take control of Jeep’s steering and braking. csonline.com. Available from https://www.csoonline.com/article/3103431/theyre-back-car-
hackers-take-control-of-jeep-s-steering-
and-braking.html

Srivastava, Anvit (2021) Fake call centre busted in Delhi; Accused duped UK citizens. News18. Available from https://www.news18.com/news/india/fake-call-centre-
busted-in-delhi-accused-duped-uk-citizens-
3888071.html

Tiwari, Ravikant (2020) Evolution of GandCrab ransomware. Acronis. Available from https://www.acronis.com/en-us/articles/gandcrab/

Vailshery, Lionel Sujay (2021) Number of Internet of Things (IoT) connected devices worldwide in 2018, 2025 and 2030. Statista. Available from https://www.statista.com/statistics/802690/
worldwide-connected-devices-by-access-technology/

Waddell, Kaveh (2016) The computer virus that haunted early AIDS researchers. Atlantic. Available from https://www.theatlantic.com/technology/archive/2016/05/the-
computer-virus-that-haunted-early-aids-
researchers/481965/

Wilding, Edward (1992) Virus bulletin. Available from https://www.virusbulletin.com/uploads/pdf/
magazine/1992/199201.pdf

Wilson, Diane (2020) ‘You owe us money’: Cartel text scam featuring graphic photos threatens Raleigh family. ABC11.com. Available from https://abc11.com/text-scam-cartel-threatening-
texts-texting/7706549/

Yonge, C. D. (1903) The First Book of the Second Pleading Against Caius Verres. London: George Bell & Sons.