4 Things Companies Should Know About the New World of Cyber Extortion

By: | September 9, 2022

Frank Quinn is the Client Experience Manager, Cyber Risks at Beazley. He can be reached at [email protected].

It’s an unfortunate but universal truth: If you think you understand how cybersecurity threat actors operate, they’re probably about to switch things up on you.

The data breach may have been the original cybercrime of the early 2000s, but then ransomware took center stage and attention focused less on vulnerability of data and more on business disruption.

Today, we are experiencing the integration of the two, with the potential for far greater damage as a result. When it comes to data exfiltration, here are four things that every business with cyber vulnerabilities should note.

1) Extortion incidents are far more complicated than they once were, as threat actors find new ways to do business.

Today, encrypted files are only one of many concerns.

Now threat actors are also threatening to expose the fact that your company’s data was stolen and are looking for payment to prevent this. Even with proof of deletion, your data may still be out there in other threat actors’ hands, exposing your organization to legal and reputational risks.

When data is exported or exfiltrated from the victim’s network before being encrypted to render it unusable to the victim, this is considered double extortion. The data may then find its way into the dark web for others to leverage — and once that happens, even if the original threat actor has been paid for data destruction, it is almost impossible to ensure that the information is not accidentally or intentionally shared with other threat actors.

Double extortion now happens in the majority of extortion incidents, including two-thirds of the incidents Beazley’s Cyber Services team reported in Q1 of 2022.

As if double extortion were not enough, triple extortion is now also becoming more prevalent. This occurs when, in addition to encrypting and threatening to publish exfiltrated data online, the threat actor also engages in further pressuring of the victim. The attacker may threaten “denial of service attacks” against the victim’s remaining infrastructure.

Threat actors may also review exfiltrated data and threaten to contact any individuals whose details are contained within if the targeted organization doesn’t pay.

2) Not only does exfiltrated data present more dangers, but organizations’ risk exposures are increasing too.

It’s getting easier to deploy ransomware and malware, and that gives threat actors more access than ever before. Tools are cheap to rent, and competition between ransomware providers led to tool authors only charging 10-15% of the ransom versus their standard 40%.

Additionally, some tools are being made publicly available, and anyone with minimal coding skills can re-use them. These factors make it easier than ever before for a threat actor to find their way into your system.

At the same time, companies are exposing more and more of their own services. Organizations are moving business operations into the cloud to scale more efficiently than they could using their own infrastructure and are increasingly taking advantage of machine learning and artificial intelligence functionality.

It’s a common mistake to expect that cloud providers will automatically provide security on your behalf. Often the tools may be there, but they are not enabled by default. In other words, you can’t just “cloud and go” and expect a secure experience.

To keep up with competition, many companies are also now using agile development to quickly publish data and services online. This may present commercial opportunities, but it also comes with risks if speed is prioritized over security.

All of these decisions present potential threat vectors.

3) The risks may be expanding, but there are still things you can do to protect your data.

When it comes to defending data, multi-factor authentication (MFA) is absolutely essential.

In fact, data shows that companies are 2-2.2 times more likely to experience a ransomware attack if they have not implemented MFA.

There are more and less secure forms of MFA, and attackers are increasingly using techniques like social engineering to get around protections. This is not a place to skimp; without MFA, a threat actor who uses correct credentials to connect to an organization’s system may be undetectable.

Forms of MFA that can be considered more secure include push notifications, time-based one-time passwords (TOTP), OAuth (Open Authorization) tokens, hardware tokens, authenticator apps, biometrics, or a FIDO2 key like YubiKey or RSA SecurID.

4) Despite best efforts, incidents can and will still occur — and the operational, legal and reputational impacts can be significant.

With techniques escalating, today’s extortion risks may include multiple threat actors and a variety of threat vectors.

While there is no foolproof way to protect your organization against every possible danger, understanding the evolving threats is essential for insureds and brokers looking to mitigate the risks in this new world of cyber extortion. For more on extortion trends and specific ways that your organization can protect itself, check out Beazley’s latest Cyber Services Snapshot&

More from Risk & Insurance