Criminals are building a cyber extortion 'micro-economy' by monetising stolen corporate data
Sophisticated groups feed a cyber crime supply chain by selling corporate documents and IP to novice extortionists
The cyber extortion landscape is far more diverse and varied than businesses have previously acknowledged, with tiers of malicious actors building an entire 'micro-economy' around sensitive corporate information.
Gangs of cyber criminals are trading stolen company secrets and intellectual property (IP) for cash to less sophisticated outfits, which are then monetising the information in increasingly innovative ways, according to research by Digital Shadows.
The report titled 'A Tale of Epic Extortions: How cybercriminals monetise our online exposure' examined the emerging trends in the cyber extortion landscape, and how lax security practices - by both individuals and organisations - enable corporate theft.
The more sophisticated cyber extortionist groups are increasingly pivoting to recruitment, offering vast salaries to perform certain actions. They are also supplying less sophisticated groups with valuable information they can then use to extort companies and individuals.
Selling "access" in this way to an organisation, a server, or an email inbox, for instance, is one of several ways in which more advanced groups are monetising the data they steal, both post-extortion, or because their attempts were unsuccessful.
"More sophisticated actors would often perform an intrusion, steal information, and then monetise it by selling it to less sophisticated, more novice extortionists," Digital Shadow's senior strategy and research analyst Rafael Amado told IT Pro.
"So there's a sort of micro-economy, or a mini-market, that is developing within the extortion market itself where extortionists are servicing each other. The more experienced ones are either recruiting or enabling the low-level groups.
"The hardest thing for an extortionist is to get that initial compromising or sensitive information, that sensational data or story you can use to extort someone. For me, that is the key, and one of the most difficult things for an aspiring extortionist to get their hands on. But if you've got more sophisticated people offering it to you, selling it, then the barriers to entry are far, far lower."
This new as-a-service model is also evident when it comes to ransomware and distributed denial of service (DDoS) attacks, where less sophisticated actors are recruiting groups with better capabilities to act on their behalf.
The Digital Shadows report also explored how innovative 'crowdfunding' models for monetising stolen corporate documents are beginning to take off, with cyber gangs seeking alternative ways to raise revenues following a breach.
Instead of relying on victims to pay ransom demands - which may or may not be successful - documents, which may contain content that could excite the wider public, are instead being offered on platforms like KickStarter.
Thedarkoverlord (TDO), a notorious cyber extortion group, meanwhile, served as an ideal case study for Digital Shadows' examination of the emerging cyber extortion supply chain and as-a-service cyber crime models.
Digital Shadows cited a case study in which TDO which stole documents relating to 9/11 from insurance provider Hiscox in April 2018. The 10GB cache of documents, which mainly concerned litigation papers and the insurance claims of victims, was released as an encrypted set of files, with TDO then releasing the encryption keys as and when crowdfunding milestones were hit.
Digital Shadows' report also shone a spotlight on sextortion campaigns running throughout 2018, with a sample of 792,000 emails tracked by researchers showing that extortionists used exposed credentials to convince people they had been compromised.
Using passwords or other credential data normally found on public lists and paste sites, extortionists convince users they have access to compromising photos or video footage - quite often a bluff - before using this to extract cash.
Salaries, meanwhile, averaging the equivalent of $360,000 (275,300) per year are being offered to accomplices who can help cyber criminals target high-worth individuals, such as company executives, lawyers, and doctors. These salaries can even reach as high as $1 million for those that have demonstrable skills in network management, penetration testing, and programming.
Digital Shadows has recommended that organisations develop a ransomware playbook that outlines a regime for regularly backing up data and sensitive files in storage detached from the main network. Among other suggestions, the researchers also advise businesses to shrink the potential attack service by, for example, making remote-access systems accessible only over a virtual private network (VPN).
"What we mean by a ransomware playbook is, hypothetically, or say let's do it practically in the office sometime this week," Digital Shadows' Amado continued.
"Let's say you have a ransomware attack - what are we going to do? How do we respond? Do we have our systems backed up? Do we have our files backed up in the right places? That's just one step.
"Who is going to call lead that process? Is somebody going to go around the office and explain to people what's going on? Do we have backup systems in place? What are the PR teams going to do? Do we need to get the lawyers involved? Do we have cyber insurance?
"All these different types of questions; they're really not the questions you want to be asking yourself in the middle of a ransomware attack. Which, I suppose, is what most people did in the middle of the WannaCry attack. Nobody had ever considered anything like that happening before."
Amado added that having such a playbook in place, ensuring that key decision makers know how to respond and reducing one's digital footprint, would ensure organisations would be able to mitigate the effects of such attacks far more effectively.