Online Extortion - Old Ways, New Tricks

Digital Shadows Analyst Report

6 July 2015

Online Extortion - Old Ways, New Tricks


Extortion is nothing new for organized crime. For centuries, gangs have been operating protection rackets and kidnappings to successfully extract ransom money from their victims. And as with many things in modern life, these old techniques have been successfully brought over to the cyber realm.


DDoS extortion


It is perhaps no surprise then that, relative to the age of the Internet, online extortion has been around for quite some time too. The threat of Distributed Denial of Service (DDoS) attacks unless a fee is paid has been known as a ruse for over a decade. Typically, revenue-generating websites such as online casinos and bookmakers have been targeted in the past with carefully balanced calculations to encourage victims to pay – not too much that it can’t be funded and just enough that it’s worth the loss to the victim. And yet it is still something we observe businesses suffering from today – a recent example is the recently very active “DD4BC”, who over the past few months has been reported as being active against multiple targets in Europe, the USA and as far afield as New Zealand and seemingly stepping up the size of their targets and the ransom demands to go along with it.


In the past, achieving DDoS attacks was the reserve of the technical elite, for example by using their own botnets to direct large amounts of traffic towards the intended target. These days, with readily available websites available on the criminal underground known as “stresser” or “booter” websites and criminals offering DDoS-for-hire services, almost anyone can launch these attacks.

Ransomware


In more recent times, we have observed the growing threat of the ransomware. These malicious programs can hold infected computers hostage by denying a user access to their system. Another even more wicked step in the evolution of these programs is so-called crypto-ransomware, which employs encryption algorithms to scramble a victim’s computer files before holding them hostage to their desperate victims. If victims do not pay their ransoms (and sometimes, even when they do) their files can be lost forever. The impact of this can be devastating for victims – for example the loss of irreplaceable family photos or critical business information such as client databases can be crippling if not backed up.

Although ransomware is thought to have been around for many years, it has only been in the past few years that the cybercriminals have really stepped up their game. In 2012, the Reveton “police ransomware” emerged and falsely informed infected users that the machine had been used for unlawful activity such as downloading pirated or child abuse material. Cunningly, Reveton ransom screens displayed logos from European and North American police forces to further scare their intended targets into paying up.

reveton 
Fig 1. The Reveton malware. Source: softpedia.com

The architype for crypto-ransomware was the so-called Cryptolocker variant.  It emerged in 2013 and introduced encryption to the equation, demanding payments be made through the use of virtually anonymous Bitcoin payments with the added incentive for victims to pay up in a specified timeframe or risk the ransom going up. Interestingly, this ransomware was observed as sharing infrastructure with the Gameover Zeus information-stealing malware, subsequently dismantled by an international law-enforcement effort in 2014. The suspected architect behind this malware was named by the FBI as Evgeniy Bogachev, also known by his online moniker of “Slavik”. Currently the reward for information leading to his arrest and/or conviction stands at $3m.


Cryptolocker 2 
Fig 2. Crytpolocker. Source: adslzone.net

An FBI advisory from the beginning of this year noted an “uptick” in ransomware attacks and some new trends; infections coming from drive-by downloads as opposed to email attachments and payments increasingly being requested in Bitcoin as opposed to pre-paid cards. The advisory also noted the growing problem of mobile phone-based ransomware; as more and more users migrate to these platforms to perform computing tasks and the attractiveness of attacking these devices has increased for the criminals.

More recently the development of the variant “Cryptowall” has been observed, with further versions being released and functionality adapted to ensure its success. The FBI also released a recent advisory regarding the growing popularity the malware and the huge losses to victims (c.$18m) reported over a matter of weeks (April to June 2015).


Extortion hacking

Another form of online extortion can include the compromise of data from systems through hacking methods and then subsequent extortion demands to return the data.

“Rex Mundi” (Latin for “king of the world”), a group which emerged in May 2012, allegedly compromised the databases of a number of companies based in French-speaking countries. Some of the targets included Dominos Pizza Belgium, the Genevan Regional Bank and the group most recently released blood test results from French Labio laboratories. Generally, Rex Mundi notifies the victims of the breach via social media and threaten to make the data public unless a ransom is paid within a given timeframe. In the past, most of the group's claims were assessed to have been legitimate.

In a set of incidents unfolding in the recent weeks, we have observed the emergence of another group calling themselves the “Russian Guardians”. This group have been reported by victims as following a similar, albeit slightly different attack methodology. Victims, generally server administrators, have reported finding virtual machine files wiped from servers and replaced with messages from the attackers. The messages indicate that the files have been stolen and stored safely but inaccessibly to the victim and demanding a variable ransom payment in bitcoins. Every message provides a unique bitcoin wallet into which ransoms are to be paid. Analysis of the bitcoin transfers from the public ledger indicate intentional obfuscation of the transactions using complex transfer patterns between multiple wallets, presumably part of the criminals’ efforts to hide their tracks.

The claims by the group that they had downloaded the files are unsubstantiated. To download images of virtual machines is a time-consuming process, especially when done remotely. It would be much easier for the attackers to delete the files and it is worth noting that at the time of writing we were not aware of any credibility to the claims that files would actually be returned.

With all of these incidents in mind, the problem of online extortion is clearly not one that is going away any time soon. As long as these methods continue to prove profitable, they will continue to be used against victims. We may not be able to specifically predict the attackers’ next steps, but what can broadly predict is that gangs will continue to develop their methods, work out new vulnerabilities and exploit them to make money.

In order to protect yourself from online extortion, there are a number of simple measures that can mitigate the risk:

-    Ensure files are appropriately backed up on standalone data storage;
-    Ensure operating systems and plugins are updated regularly;
-    Ensure you use an up-to-date anti-virus product from a reputable vendor;
-    Ensure you use strong passwords on all password-protected systems;
-    Avoid clicking on untrusted links or attachments;
-    Consider using ad-blocking software.