Stu Sjouwerman is its founder and CEO KnowBe4 Inc.a security awareness training and phishing simulation platform.
One of the biggest car rental companies in Europe fell victim to a fabricated cyber attack. Why would opponents claim a false attack? To understand the true intentions and motivations behind such attacks, it is important to understand how the cyber extortion business operates and evolves.
Tracking the Evolution of Cyber Extortion
Threat actors have been evolving their ransomware tactics and DIY kits for years. Early forms of ransomware attacks involved encrypting sensitive data and systems. Once the encryption was successful, the attackers demanded a ransom in exchange for the decryption keys. However, this tactic had limited success because victims could recover their data from backups. The attackers then began designing malware that contaminated backup systems. Many victims paid. However, there was still a fair share that followed the FBI’s recommendations I do not pay.
Opponents realized that bolder tactics would be needed to further pressure the victims. They designed ransomware programs that filtered data before encrypting it. Now, even if victims had backups, attackers could blackmail them using stolen data. The attackers threatened to leak sensitive and confidential information if they did not pay.
To make matters worse, the attackers began to “milk” the victims or monetize the stolen data even more. For example, they began brokering stolen data to other cybercriminals who would then launch repeat attacks (also known as double and triple blackmail attacks). They also started blackmailing the victims’ customers and their families. The attackers have even blackmailed his patients plastic surgery clinics.
The extortionists continue their pressure tactics
With billions of dollars at risk, it is impossible for law enforcement agencies and regulators not to consider it. Like a scene from a Wild West movie, a $10 million bonus is offered by the Ministry of Foreign Affairs for the head of a Hive ransomware gang leader. Regulators compel businesses to disclose “all the material” related to cyber incidents. Failure to comply with certain regulations may result in civil actioncriminal prosecutions, heavy fines and penalties, cease and desist orders or revocation of registration of securities.
Enterprise threat actors again see this as another opportunity to pressure victims. For example, when the software company MeridianLink was attacked, the threats gave them 24 hours. When MeridianLink didn’t heed the call, the criminals applied more pressure by incredibly filing a complaint with the SEC (also known as complaint) regarding the non-disclosure of the event.
They also include other pressure tactics imposed by ransomware actors cyber-swatting. Extortionists have threatened C-suite and board members, hospitals and schools with swatting attacks. AI tools are used to compose voices and call the police to falsely notify them of a hostage situation, bomb threat or other serious complaint. Police, fire and EMS are called to the victim’s home, heavily armed.
What organizations can do to mitigate the risk of ransomware and cyber extortion
What started as a simple phishing email has now evolved into a highly sophisticated cybercrime where extortionists leverage social engineering to carry out infiltration, espionage, data theft and fraud. Here are some best practices that organizations can adopt to mitigate risks.
1. Training of employees: It is important to have an ongoing cyber security awareness program that educates employees about the latest threat and extortion tactics employed by attackers.
2. Focus on root causes, not symptoms: Ransomware is a symptom, not a root cause. Investigate how the ransomware entered the environment. Ransomware is a result of phishingsocial engineering, unpatched software and leaked passwords.
3. Development of Security Training: Cybersecurity tools and technology alone are not enough against social engineering that manipulates human nature. Use phishing simulation platforms and other forms of hands-on training exercises to create a sense of safety among employees.
4. Use a Password Manager and Phishing Resistant MFA: Require employees to use long and complex passwords. Sign up for a commercial (non-browser native) password manager to avoid password reuse. Develop Phishing-resistant MFA to reduce the risk of identity theft and acquisitions of corporate accounts.
5. Ensure employee readiness: In the event of a cyber attack, employees should be well informed of the necessary protocols to follow, as well as the roles and responsibilities defined for incident responders and other important stakeholders.
The digital age has revolutionized the way we thrive and do business, but it’s also blurring the lines between what’s manufactured and what’s bona fide. And if fake emails, fake news, fake videos, fake voices, fake attachments and fake identities were not enough, businesses now face the threat of fake cyber attacks.
Cybercrime has become that too profitable, crossing the lines of scams and extortion tactics without foreseeable limit. Organizations must take precautions seriously, enhance security awareness and maturity, and develop tools and processes that help mitigate the root causes of cybercrime.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?
