Cyber extortion seen as the next big threat

By Erin Ayers on July 4, 2014

protected laptopExperts call cyber extortion “the next big thing” to threaten organizations with financial trouble, loss of data, and even going out of business.

Trends point to more and more attacks, requiring a solid disaster recovery plan and prompting a growing interest in cyber insurance for more than data breaches.

“Bitcoins” have become a popular currency for digital wrong-doers in these denial of service (DoS) attacks. Targets range from tiny pizzerias in New Hampshire, to global cloud providers, to governments. One well-publicized piece of ransomware was “Cryptolocker,” recently shut down by a global law enforcement collaboration. Proceeding immediately upon the demise of Cryptolocker was a new peril, Cryptowall.

According to a survey conducted recently by British telecommunications provider BT, nearly 41 percent of organizations globally were hit by distributed denial of service (DDoS) attacks in the last year. Seventy-eight percent experienced more than one attack in that time. Organizations the world over report worries about the threat, with 58 percent of firms calling DDoS attacks a “key concern,” per the study.

Mark Hughes, president of BT Security, said: “DDoS attacks have evolved significantly in the last few years and are now a legitimate business concern. They can have a damaging effect on revenues and send an organization into full crisis mode. Reputations, revenue and customer confidence are on the line following a DDoS attack, not to mention the upfront time and cost that it takes an organisation to recover following an attack. Finance, e-commerce companies and retailers in particular suffer when their websites or businesses are targeted.”

He added that customer complaints tend to rise – by up an average of 36 percent – following a DDoS attack.

While many businesses – and the media – have focused on the danger of data breaches, cyber extortion has been going on for years, according to Erin Nealy Cox, executive managing director for Stroz Friedberg’s global incident response practice. Stroz Friedberg assists corporate clients with forensic investigations into how hackers access their systems and the extent of the intrusion. She deals regularly with instances of cyber extortion, economic espionage, attacks to steal payment card information (PCI), or insider attacks to steal trade secrets to sell or bring to a competitor.

“It’s a rampant thing,” Cox told Advisen. While cyber extortion may have been around for awhile, criminals are getting craftier, she added, saying, “It does take on a new level of sophistication and it requires companies to handle it with a new level of sophistication.”

Cyber extortion tends to fall into “three buckets.” The first bucket contains the classic examples of outsiders digitally taking over a system and demanding ransom to free it. These schemes might involve gaining access via a spear phishing email; employees click on a link and allow the hackers access. The approach appears simple, but the technology to lock down a company’s data is state-of-the-art and a demand for payment usually follows.

“You’d be surprised at how many people pay,” said Cox, a former federal prosecutor at the U.S. Department of Justice. However, most organizations recognize the risk they run in paying off hackers.

“They recognize the slippery slope of paying money to an extortioner,” she said. “You may pay once and they’ll do it again.”

In a second “bucket,” cyber extortion may consist of hackers accessing a business environment to steal proprietary code or product information, or threatening to expose a vulnerability in their system. Hackers have been known to demand payment to keep quiet, or to protect the stolen products, according to Cox.

In the final bucket resides a more ambiguous area of legality. Cox highlighted a trend toward security firms discovering evidence of hacking and going to the executives of the firm with the information – and the strong suggestion that the company hire the security firm to remediate the situation.

“Unlike the first two buckets, they have not acquired the information illegally,” Cox stated. However, she emphasized that this approach detracts from an overall goal to improve cybersecurity.

“I think it just smacks of the wrong perspective in the cybersecurity community,” she said. “If you have to be hired to do that, you’re not forwarding that goal. Some companies will pay. They won’t like it, but they want the information. We’re seeing more of that and it’s disconcerting.”

Cox asserted her organization provides the information freely to companies and goes through the proper law enforcement channels. In every event, quick response and a full forensic investigation can put a business back on track.

Digital forensic firms can also assist in the recreation of data, if a company has properly backed up its system.

“While you’re not recovering all the information, you’re recovering a lot of it,” said Cox.

The insurance industry has considered the business risk of cyber extortion and developed a wide variety of first-party coverages to respond. According to Christine Marciano, broker with Cyber Data Risk Managers, most of the policies in the cyber insurance marketplace will provide cyber extortion. While not a standalone policies, it can be added onto a policy as an endorsement for a “reasonable” price. For companies hit with a DDoS, having cyber insurance could make the difference between resolving the issue and moving forward or having to shutter the business.

Marciano cited the experience of cloud provider CodeSpaces, hit last month with a DDoS attack. Within 12 hours, CodeSpaces found that most of its “data, backups, machine configurations and offsite backups were either partially or completely deleted.”

“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of ongoing credibility,” the company said in a letter on its website.

“This is an attack where criminals can just target a company,” said Marciano. “For situations like that, if a company had had insurance, they could have kept going.”

Cyber insurance can pay the expenses an organization will incur to investigate a threat and determine its credibility. It could also cover the ransom that would be paid. Insurers work with insureds through the process, as well as law enforcement to take down the culprits.

“This is the next big thing that companies need to be concerned about,” said Marciano. “Some organizations felt they didn’t need it, but when Target happened, they started scrambling.”

Marciano said she hasn’t seen a claim relating to cyber extortion yet.

“We’re probably going to have it in the next 12 to 18 months. We’ll see a lot more data evolving around the claims on this piece, the cyber extortion,” she said.

According to Stroz Friedberg’s Cox, there’s no doubt organizations will see more cyber extortion. While not new – she said she’s been working on cases like these since 2007 – the issue has received more attention from the media, the public, and lawmakers, creating more awareness.

That media attention has also shifted much of the blame to the hacked organizations themselves, prompting regulatory scrutiny and loss of consumer goodwill. The companies themselves are victims, too.

“We learn how complex it is and how nuanced the attack is. It’s definitely not a black and white issue,” said Cox.

In a battleground where every company can be a target, the focus is on training employees, having a disaster recovery plan, and knowing that it may be impossible to keep hackers out of your system. Cox said the key is knowing when they got in and what they did while they were there.

“Every single person in the company has to be responsible for cybersecurity for the company,” she said. “If you have a well-resourced adversary and they have you in their sights, it’s not a question of if, it’s when.”

Erin is an editor at Advisen. She has 15 years of journalism experience. Prior to Advisen, Erin covered property-casualty insurance for 13 years as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at eayers@advisen.com.