11.1.1 Definition

Cyber extortion is when an attacker threatens to damage the confidentiality, integrity, or availability of information unless he or she receives a payment or other desirable outcome. Types of cyber extortion include:

• Denial - Data is rendered unavailable until the desired outcome is achieved.

• Modification - Attackers threaten to alter sensitive data unless the desired outcome is achieved.

• Exposure - Attackers impact the confidentiality of information, threatening to publish or share sensitive data unless the desired outcome is achieved.

• Faux - The extortion attempt is merely a ruse designed to obscure the attacker’s true purpose.

Of these four types, denial and exposure extortions are by far the most common.

Modification extortion is still largely theoretical, but a frightening concept. “Imagine, mixing together all patients’ medications in a hospitals, or their blood results or their radiology images,” writes medical doctor and cybersecurity consultant Saif Abed, considering the potential for a “Clinical Integrity Extortion” attack. “[I]magine that clinicians often not having time to second guess what they see on their screens. . . . [I]t’s a disaster.”⁸

8. Saif Abed, “The Clinical Integrity Extortion (CIE) Attack: A Healthcare Cyber-Nightmare,” Medium, September 14, 2018, https://medium.com/@s.abed86/the-clinical-integrity-extortion-cie-attack-a-healthcare-cyber-nightmare-3c74f61f5b5d.

Each type of extortion requires a different response, as we will see throughout this chapter.

11.1.2 Maturation

Cyber extortion became an epidemic because of the maturation of specific technologies, laws, and cybersecurity standards, including:

• Cryptocurrency, which gave criminals an easy way to demand quick, anonymous payments in extortion cases.

• Crimeware for exploitation and extortion, which evolved to the point where even less-savvy users could purchase a commercial exploit kit or ransomware software and point-and-click their way to success.

• Data breach laws and standards. In the United States, by 2016, the Health Insurance Portability and Accountability Act (HIPAA) had teeth, and most states had data breach notification laws. Criminals used these regulations to incite fear in their victims, specifically targeting regulated data and highlighting it in extortion threats.

The result of these advancements was that cyber extortion became a quick and low-risk crime to commit. Furthermore, organizations that publicly reveal that they have been hacked can suffer devastating reputational damage and incite widespread anger—and some are willing to pay a hefty ransom to avoid that.

In the rest of this chapter, we will explore the three most common types of cyber extortion and discuss response strategies for each.

11.2.1 Ransomware

Ransomware is software designed to lock up user files or entire operating systems in exchange for a fee. Modern ransomware outbreaks commonly begin in one of two ways:

• Phishing: The attacker sends a phishing email or social media message to an employee. The employee clicks on the link, which infects a workstation with malware.

• Remote login: Attackers scan the Internet searching for remote login interfaces with default or weak account credentials. Once obtained, they can access the systems themselves or sell access to other criminals.

Once the attacker installs ransomware, typically:

• The ransomware encrypts files on the local computer, as well as writable network shares and accessible cloud storage repositories. Depending on what files the user has access to, this can prevent him or her from accessing a large volume of valuable data, potentially crippling operations.

• An electronic “ransom note” appears on the user’s desktop or screen, notifying the user of the encryption and providing the user with an opportunity to purchase decryption keys. Often, a deadline is included, after which the price for the decryption keys increases substantially. Some strains of ransomware also permanently delete files periodically (e.g., every hour).

• If the victim pays the ransom, the criminal (theoretically) provides a decryption key, which will allow recovery of all or part of the volume of affected files.

Ransomware can wreak havoc, particularly if it spreads through an organization’s network. In addition to denying access to the victim’s data, attackers may steal or access sensitive information, which means that a ransomware infection may also constitute a data breach. Even if the operational impacts are short lived, the fallout from the data breach aspect may be long term and significant.

11.2.2 Encryption and Decryption

The first known ransomware, the AIDS Trojan, was released in 1989 by biologist Joseph Popp, who studied baboons in East Africa. He distributed the AIDS Trojan by mailing a floppy disk labeled “AIDS Information - Introductory Diskettes” to 20,000 AIDS researchers across 90 countries. After 90 reboots, the malware hid directories and encrypted filenames, and instructed victims to send $189 to a P.O. box in Panama in order to obtain a repair tool. The malware had a critical flaw, however: It used symmetric key cryptography, meaning the same key was used to encrypt and decrypt. Moreover, the key was the same for all victims, and defenders quickly developed decryption tools.⁹

9. Alina Simone, “The Strange History of Ransomware,” March 26, 2015, Medium.com, https://medium.com/unhackable/the-bizarre-pre-internet-history-of-ransomware-bb480a652b4b.

In late 2004, modern ransomware emerged and began to spread via phishing and web-based attacks. This early ransomware was clunky and often had deficiencies that allowed savvy users to bypass the malicious software and regain access to their data without paying a fee. For example, Kaspersky¹⁰ Labs reported encountering a new malware strain called GPCode, which encrypted files and left behind a ransom note that instructed the victim to “buy our decryptor” by contacting the attacker at a Yahoo email address. The researchers found that GPCode was likely of Russian origin and used a custom-written encryption algorithm that was easy to break. The author quickly fine-tuned the malware and released new, stronger variants, eventually switching to the strong RSA encryption algorithm.

10. Denis Nazarov and Olga Emelyanova, “Blackmailer: the story of Gpcode,” SecureList, June 26, 2006. https://securelist.com/blackmailer-the-story-of-gpcode/36089 (accessed June 6, 2019).

Over the next several years, ransomware authors experimented with different models of extorting money from victims, including fake antivirus scans, which locked the user’s computer and posted a warning on the screen requiring the user to call to “activate” the antivirus license. This evolved into law-enforcement-themed locker ransomware, which locked the victim’s computer and posted a notice from law enforcement that accused the user of downloading pirated data or viewing pornography. The victim was told to “pay a fine” in order to have the computer unlocked. “[I]n the early days, attackers tricked victims into downloading fake tools to fix computer issues,” wrote Symantec researchers. “Eventually, it dropped any pretense of being a helpful tool to just displaying a blatant request for payment to restore access to the computer.”¹¹

11. Kevin Savage, Peter Coogan, and Hon Lau, “The Evolution of Ransomware” (whitepaper, Symantec, Mountain View, CA, August 6, 2015), 10, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf.

In some cases, ransomware strains delete but do not overwrite the original files, enabling forensic analysts to use common file recovery software to restore the original content. Another recovery tactic is to attempt to reverse-engineer the decryption key. If an analyst has access to both encrypted files and a sample of the original, nonencrypted files, then in some cases it may be possible to use cryptographic techniques to determine the key. However, this takes time and computing power, if it is possible at all.

Over time, ransomware developers refined their software and processes. Ultimately, they found that asymmetric cryptography was an effective means of rendering victims’ files inaccessible. Attackers encrypted the victim’s files with one key and held the corresponding decryption key hostage until they received payment. (See § 5.3.2 for details on asymmetric cryptography.) When implemented carefully, it is virtually impossible for victims to recover their files without a backup.

CryptoLocker was one widespread ransomware variant that emerged in 2013 and leveraged strong encryption (researchers observed it using the popular RSA algorithm with up to 2048-bit keys). It also overwrote the original files, rendering them impossible to recover even for forensics experts.¹² In 2014, a team of law enforcement agencies and security firms infiltrated the botnet used to spread CryptoLocker and captured a huge database of private keys, enabling many victims around the world to finally decrypt their data.

12. “CryptoLocker: What Is and How to Avoid It,” Panda Security, May 14, 2015, https://www.pandasecurity.com/mediacenter/malware/cryptolocker/.

Today, many reputable security firms have released tools that can decrypt popular ransomware strains, either leveraging implementation issues or available private keys. Sites such as NoMoreRansom.org can help defenders determine their ransomware strain and quickly obtain decryption utilities. While there is no guarantee that these tools will be successful, it is often worth trying as a first step.

11.2.3 Payment

Before cryptocurrency existed, it was difficult for cybercriminals to extort payments over the Internet. Cybercriminals attempted to collect payment using wire transfers, payment voucher systems such as MoneyPak or paysafecard, or more creative methods such as text messages to premium phone numbers. All of these payment transfer systems were brokered by a third party and could potentially leave a trail that would help law enforcement track down the attacker. As a result, criminals typically used a money-laundering service in conjunction with a money transfer method.¹³

13. Savage, Coogan, and Lau, “Evolution of Ransomware,” 22–25.

The rise of Bitcoin gave criminals a new, convenient option. When CryptoLocker erupted in 2013, it accepted payment using either Bitcoin or prepaid cash voucher. Victims in the United States were typically given 72 hours to pay the equivalent of $300. The ransom note warned that the victim’s decryption key would be destroyed when the deadline passed, rendering the files permanently unrecoverable. However, victims reported that they could still purchase the key even after the deadline—at a much higher price.

Cryptocurrency dramatically reduced the risk of engaging in cyber extortion, which in turn caused the crime to proliferate. By 2014, a wide range of ransomware had sprung up that instructed bewildered victims to pay using cryptocurrency. Since most nontechie users were not familiar with Bitcoin, ransomers often left user-friendly, detailed instructions that walked the victim through the process of purchasing and transferring cryptocurrency.¹⁴

14. Brian Krebs, “2014: The Year Extortion Went Mainstream,” Krebs on Security (blog), June 26, 2014, https://web.archive.org/web/20140702112204/ http://krebsonsecurity.com/2014/06/2014-the-year-extortion-went-mainstream.

At first, the majority of cryptocurrency ransom demands were relatively small, on average about $300. Criminals soon realized, however, that when they locked up an organization (as opposed to an individual), they had leverage to extort far larger sums of money. For example, in 2015 the Swedesboro-Woolwich School District in New Jersey was held hostage for 500 bitcoins (approximately $124,000 at the time).¹⁵ This trend became more widespread, particularly as more and more organizations purchased cyber insurance that covered large ransom payments.

15. Rebecca Forand, “School District ‘Bitcoin Hostage’ Situation Continues; FBI, Homeland Security Investigating,” NJ.com, March 24, 2015, http://www.nj.com/gloucester-county/index.ssf/2015/03/school_district_bitcoin_hostage_situation_continue.html.

In 2018, sophisticated ransomware evolved that encrypted individual file shares and devices with different keys (“key differentiation”). That meant criminals could charge victims money to recover each individual file share or storage device.¹⁶

16. Sherri Davidoff, “Cyber Alert: New Ransomware Holds Individual File Shares Hostage,” LMG Security, May 16 2018, https://lmgsecurity.com/cyber-alert-new-ransomware/.

11.2.4 World Domination

By the close of 2015, ransomware had become a dominant threat. “Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today,” observed Symantec researchers in their 2016 Internet Security Threat Report.¹⁷

17. Lucian Constantin, “New Ransomware Program Threatens to Publish User File,” Computerworld, November 5, 2015, https://www.computerworld.com/article/3002120/security/new-ransomware-program-threatens-to-publish-user-files.html; Symantec, “2016 Internet Security Threat Report,” ISTR 21 (April 2016): 58, https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf.

The Center for Internet Security dubbed 2016 “The Year of Ransomware.”¹⁸ In February 2016, Hollywood Presbyterian Hospital in Los Angeles was famously shut down by ransomware, generating an intense media storm. The hospital ended up paying $17,000 to the hackers in exchange for recovering its data.¹⁹ The following month, Methodist Hospital in Kentucky was forced to declare an “internal state of emergency” after ransomware encrypted files throughout its IT infrastructure.

18. Katelyn Bailey, “2016: The Year of Ransomware,” Center for Internet Security (blog), 2016, https://www.cisecurity.org/blog/2016-the-year-of-ransomware/.

19. John Biggs, “LA Hospital Servers Shut Down by Ransomware,” Tech Crunch, February 17, 2016, https://techcrunch.com/2016/02/17/la-hospital-servers-shut-down-by-ransomware.

As the ransomware epidemic spread, cybercriminals took over computer systems around the world, including hospitals, schools, police stations, and more. When a ransomware infection was found, local IT staff typically worked to clean off the malware and restore data as quickly as possible. Victims rarely reported ransomware incidents to the public voluntarily, but in severe cases where day-to-day operations were impacted, word spread.

Within a few years, commercial ransomware software became a popular product on the dark web. Criminals could purchase turnkey malware, distribute it using common exploit kits, and rake in profits. To make it even easier, many vendors peddled “ransomware-as-a-service,” where customers on the dark web paid a fee to rent ransomware platforms, which often provided user-friendly dashboards and easy-to-understand instructions.

11.2.5 Is Ransomware a Breach?

Victims traditionally took a “wishful thinking” approach to ransomware, assuming that even though attackers had locked up their data, they hadn’t actually taken it. In the case of the Swedesboro-Woolwich School District, the superintendent reassured the public that the confidentiality of student data was not at risk. “Ransomware is more like an octopus,” he said. “Its tentacles wrap around your data. There’s no destruction or extraction.”²¹

21. Forand, “School District.”

In keeping with this philosophy, most organizations treated ransomware exclusively as an operational issue. When an infected system was discovered, IT staff worked diligently to clean it, restore the data, and move on. “Because ransomware is so common, hospitals aren’t reporting them all,” said James Scott, senior fellow at the Institute for Critical Infrastructure Technology.²²

22. Jessica Davis, “Ransomware Rising, but Where Are All the Breach Reports?” Healthcare IT News, March 20, 2017, http://www.healthcareitnews.com/news/ransomware-rising-where-are-all-breach-reports.

Reality eventually caught up. Breach coaches who managed incidents realized that if an attacker had access to encrypt a victim’s data, the cybercriminal could well have stolen it, too. And why not? Criminals could resell sensitive data on the black market and make money from denial extortion. To that end, ransomware developers added data-stealing capabilities to ransomware strains. For example, Cerber and Spora ransomware samples were updated to include keystroke loggers and password theft functionality. “By stealing credentials from victims, criminals are ensuring a double payday, because not only can they make money from extorting ransoms, they can also potentially sell stolen information to other criminals on underground forums,” reported Danny Palmer of ZDNet.²³

23. Danny Palmer, “Ransomware 2.0: Spora Now Steals Your Credentials and Logs What You Type,” ZDNet, August 24, 2017, http://www.zdnet.com/article/ransomware-2-0-spora-now-steals-your-credentials-and-logs-what-you-type.

Ransomware is often the most visible sign of a compromise—but not the only component. Attackers frequently lurk in an organization’s systems for months or years, stealing data or renting bots, before deciding to quickly monetize access by installing ransomware.

In 2016, the OCR caused waves throughout the healthcare industry by unequivocally stating that ransomware attacks should be treated as breaches. They published a “fact sheet” on ransomware and HIPAA, clearly stating that “when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired.” That means that ransomware incidents should be treated as potential data breaches and must be reported unless the covered entity can demonstrate a “low probability” that PHI was compromised, as per the four-factor risk assessment outlined in the HITECH Breach Notification guidelines.²⁴ (For a detailed discussion about data breaches and the healthcare industry, see Chapter 9, “Health Data Breaches.”)²⁵

24. U.S. Department of Health and Human Services, “Fact Sheet: Ransomware and HIPAA,” accessed January 18, 2018, https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf?language=es.

25. U.S. HHS, “Factsheet.”

For other types of data, it’s not always clear whether ransomware constitutes a data breach. The level of investigation and conclusions vary considerably based on the experience and risk tolerance of the breach coach and victim organization. It is always wise to retain a sample of the malware whenever possible, so that forensic analysts can assess its capabilities if needed.

11.2.6 Response

Responding to ransomware can be a painful and traumatic experience. There is typically little or no warning, and when ransomware hits, it can cause major damage. The DRAMA model of data breach management applies, as described in Chapter 4, “Managing DRAMA”:

• DEVELOP your data breach response function.

• REALIZE that a potential data breach exists by recognizing the signs and escalating, investigating, and scoping the problem.

• ACT quickly, ethically, and empathetically to manage the crisis and perceptions.

• MAINTAIN data breach response efforts throughout the chronic phase and potentially long-term.

• ADAPT proactively and wisely in response to a potential data breach.

In ransomware cases, there are distinct issues that response teams should consider during the develop, realize, and act phases. These include:

• Include ransomware in data breach planning. All too often, organizations plan for the operational impacts of ransomware but forget to consider that it may also legally qualify as a data breach. A common result of this oversight is that critical evidence is not preserved during the immediate response to ransomware, making it impossible to rule out a data breach later.

• Preserve evidence early on. Make sure that first responders are trained to recognize ransomware as a potential data breach. Preserve important evidence such as the malware sample whenever possible, so that if needed, forensic analysts can later analyze it to determine whether the malware is capable of exfiltrating data or is designed to simply deny access. If ransomware is widespread and it is not feasable to perform a full forensic acquisition of all affected computers, prioritize based on volume and sensitivity of the data stored on each system.

• Activate crisis communication plans quickly. Since ransomware can have a sudden and dramatic impact on an organization’s operations, news of the infection can become widely known very quickly. This is especially true for organizations that suffer a widespread infection that impacts public-facing services (as in hospitals and local government agencies).

• Manage both the operational and data breach impacts of the crisis. It can be challenging to manage a potential data leak while also working to restore operations. Consider, in advance, how to divide up the work and ensure that both issues are addressed.

In the “Act” phase, ransomware-specific crisis management steps include:

• Assess the Damage - Take an inventory of what data has been encrypted, and determine whether the organization can recover the data from backups, recreate missing data, or function without certain data sets.

• Recover from Backups - If available, restore as much data as possible from backups (after preserving appropriate evidence, of course).

• Check for a Decryptor - Technical experts can examine the encrypted systems to determine whether there is a known bypass—some way to unlock the files without paying to get the decryption key from the attackers.

• Negotiate and Pay the Ransom - If all else fails, then the organization may be stuck with a hard choice: pay to get the decryption key (which is not guaranteed to work) or fully rebuild, which in severe cases could threaten the viability of the organization. See the next section for a discussion of negotiation and payment in ransomware cases.

• Fully Rebuild - Many organizations choose (or are forced) to start from scratch, rebuild affected systems, and recreate lost data. This can be a painful, time-consuming, and expensive process.

11.3.1 Regulated Data Extortion

Regulated data is typically regulated for a reason: because it is easy to use for fraud or to shame or embarrass an individual. Common types of regulated data in the United States include (but are not limited to):

• Personally identifiable information (PII) - Name, address, phone number, Social Security number (SSN), etc. “Personally identifiable information” and similar terms are defined in a variety of state and federal laws (there is no single universal definition).

• Health information - Medical records, treatment and diagnosis, healthcare billing information, and a variety of other personal details (see Chapter 9, “Health Data Breaches,” for details on HIPAA and state health information laws).

• Student educational records - Grades, disciplinary records, student medical treatment, information about learning disabilities and other physical or psychological issues, and more. In the United States, the Family Educational Rights and Privacy Act of 1974 (FERPA) protects the privacy of education records for students of federally funded institutions.

As breach notification laws became widespread, it increased the likelihood that a data breach involving regulated information would result in fines, investigations, and widespread public outcry from the affected communities. This placed pressure on IT staff and management to invest in security.

Unfortunately, extortionists have learned to twist breach notification laws to their advantage, using the spectre of investigations, lawsuits, and angry stakeholders to frighten management of these organizations into caving to their demands. Ironically, as the public grew to better understand cybersecurity issues, the potential for reputational damage due to a data breach increased, putting even more pressure on organizations to sweep data breaches under the rug.

Given the high concentration of regulated data in hospitals and schools (and the relatively low budget for security compared with financial institutions), these organizations have become popular targets for extortionists.

11.3.2 Sextortion

Sex-related information has emerged as a major driver behind extortion cases in recent years. This can take many forms, such as “webcam blackmail,” where an attacker obtains risque or obscene photos or videos of a victim and threatens to publish the images or share them with the victim’s friends or family unless he or she receives a fee.

Criminals soon realized they didn’t actually need footage to extort money from victims. Instead, they sent widespread phishing emails that claimed to have obtained footage of sex acts from the recipient’s webcam, and threatened to release it to all of their contacts. In a more recent twist, the criminals included the victims’ passwords (stolen in other data breaches) in the emails. Many recipients, frightened and ashamed, quietly paid—not realizing the attackers had only their email address; the footage didn’t actually exist.⁴³

43. Brian Krebs, “Sextortion Scam Uses Recipient’s Hacked Passwords,” Krebs on Security (blog), July 12, 2018, https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/.

The Ashley Madison “cheating” website breach illustrated how both a breached organization and the data subjects themselves can become victims of sex-related extortion. The Ashley Madison site was designed to attract married men and women who sought to have affairs. “Thousands of cheating wives and cheating husbands signup everyday looking for an affair,” advertised the site. “With Our affair guarantee package we guarantee you will find the perfect affair partner.”⁴⁴

44. Kim Zetter, “Hackers Finally Post Stolen Ashley Madison Data,” Wired, August 18, 2015, https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/.

Hackers broke into the site and demanded that Ashley Madison’s owner, Avid Life Media, take the site offline permanently, or they would publish customer records, “including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”⁴⁵ When Avid Life didn’t comply, they published the data as two compressed files on the dark web, where the data was downloaded and circulated around the world.

45. Zetter, “Hackers Finally Post.”

Millions of users had their names, addresses, and other personal details exposed. The BBC reported that two individuals committed suicide as a result of the breach.⁴⁶ There were 1,200 email addresses with the suffix for “Saudi Arabia,” where adultery is illegal and may be punished by death.⁴⁷

46. Chris Baraniuk, “Ashley Madison: ‘Suicides’ over Website Hack,” BBC News, August 24, 2015, https://www.bbc.com/news/technology-34044506.

47. Philippe Lopez, “The Global Fallout of the Ashley Madison Hack,” France24, August 20, 2015, https://www.france24.com/en/20150820-global-fall-out-ashley-madison-hack.

After the lists of Ashley Madison users were published, third-party criminals began targeting them with extortion threats. For example, one criminal gang sent mass emails to Ashley Madison users advertising their new site, “Cheaters Gallery,” which they claimed would feature each email recipient. “We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites,” the criminals threatened. “This will include you if do not pay to opting out.” The price for “opting out” was approximately $500, payable in bitcoins.⁴⁸

48. Robin Harris, “Ashley Madison Blackmail Roars Back to Life,” ZDNet, April 24, 2017, https://www.zdnet.com/article/ashley-madison-blackmail-roars-back-to-life/.

One Ashley Madison user who received the email wisely pointed out that paying the ransom guaranteed nothing—in fact, doing so could make you more of a target. “[E]ven if you pay these guys off, they can come back in a couple of months . . . and hit you up again. Wouldn’t surprise me if they sold lists of people foolish enough to pay up to other groups. Once you pay you’ve told them you’re vulnerable to blackmail forever.”⁴⁹

49. Harris, “Ashley Madison Blackmail.”

As a result of the breach, Ashley Madison was hit with dozens of lawsuits; it ultimately settled its class-action case for $11.2 million.⁵⁰

50. David Kravets, “Lawyers Score Big in Settlement for Ashley Madison Cheating Site Data Breach,” Ars Technica, July 17, 2017, https://arstechnica.com/tech-policy/2017/07/sssshhh-claim-your-19-from-ashley-madison-class-action-settlement/.

11.3.3 Intellectual Property

Corporate data, too, is targeted by extortionists. Companies that rely heavily on digital intellectual property (such as online gaming vendors, software firms, or media companies) are particularly vulnerable since a sudden release of their intellectual property can threaten their profits or even undermine the value of the entire organization. In this section, we will examine two corporate extortion cases: the Hollywood “Netflix” hack and an early breach of Bloomberg.

11.3.4 Response

The most effective response to exposure extortion is, essentially, to treat it as a data exposure case (see Chapter 10, “Exposure and Weaponization,” for details). After all, once the data is in the hands of a criminal, it’s out there. You never know when it might resurface or become public.

Key actions for response teams to consider include:

• Verify that the data is authentic and originated from your organization. As we have seen, in exposure extortion cases, criminals may include information gathered from other breaches as a means of tricking victims into thinking they have more data than they really do.

• Proactively communicate with affected stakeholders, such as the data subjects and data owners. This is especially important because the extortionists may reach out to them in order to put pressure on the breached organization to pay. Remember that if you remain quiet and don’t tell affected stakeholders about the breach, you risk damaging trust and potentially place your organization in legal jeopardy. By proactively contacting stake-holders, you preserve more trust in the relationship, and you may have the opportunity to set the narrative if word has not already gotten out. This also gives stakeholders more time to prepare for any potential fallout.

• Conduct an effective public relations campaign. This is especially important because extortionists often publicly belittle their victims and attempt to damage their reputations. If the breach is not yet public, prepare a public relations campaign that you can launch immediately if and when it does.

• Offer posttrauma counseling for affected stakeholders, such as management, IT staff, and victims. Extortion can be a frightening and emotional experience. In exposure extortion cases, repurcussions often reverbrate throughout the organization and the surrounding community. For many, it is a painful experience that will never be forgotten. In much the same way that organizations hire grief counselors to work with team members after a death, it may be wise to offer third-party counseling services following exposure extortion.

11.4.1 Case Study: NotPetya

In June 2017, the “NotPetya” malware spread like wildfire. It started in the Ukraine, where employees at organizations across the country suddenly found themselves locked out of their computers, staring at ransom notes that read: “If you see this text, then your files are no longer accessible, because they have been encrypted. . . . We guarantee that you can recover all your files safely and easily. All you need to do is submit payment and purchase the decryption key.”⁵⁵

55. “NotPetya Technical Analysis—A Triple Threat: File Encryption, MFT Encryption, Credential Theft,” Crowd-Strike (blog), June 27, 2017, https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/.

NotPetya used two stolen National Security Agency exploits to infect victims—and it spread like wildfire. “Within hours of its first appearance, the worm raced beyond Ukraine and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania,” reported Andy Greenberg of Wired magazine. “It crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondel ez, and manufacturer Reckitt Benckiser.”⁵⁶

56. Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.

But despite the reassurances of the ransom note, no one recovered their files. The malware wasn’t ransomware at all. It was designed to destroy. Security analysts confirmed that the installation ID normally used to recover the decryption key was fake and randomly generated. “Do NOT pay the ransom,” counseled technical analysts from the security firm CrowdStrike. “No files will be recovered if the ransom is paid.”⁵⁷

57. “NotPetya Technical Analysis.”

After extensive investigation, intelligence agencies concluded that NotPetya was a cyber-weapon developed by the Russian military, designed to damage Ukrainian organizations. The ransom messages were “only a ruse” used to hide the malware’s true purpose.⁵⁸

58. Greenberg, “Untold Story of NotPetya.”

11.4.2 Response

The appropriate response to faux extortion varies depending on the criminals’ true motives and the impact of the crime. From a data breach management perspective, if there is evidence that criminals may have had access to an organization’s sensitive data, then it should be treated as a potential exposure case.

Requiring proof of data can help responders quickly gauge whether the criminals actually want to negotiate. If the criminals ignore requests or refuse to demonstrate that the data can be decrypted, then responders can ignore demands and quickly move on to a different recovery strategy.