REPORT: Hackers now using extortion

BY JILL CUENI-COHEN / SEPTEMBER 13, 2017 /

A sound-mixing studio in Los Angeles received a nasty surprise on Christmas morning last year when the owners awoke to find that their computer systems had been wiped clean, and all that was left was a ransom note.

It felt like “you went into your house and it had not only been broken into, but there was nothing left,” said Rick Larson. Along with his wife, Jill, the two work on television productions such as the Netflix series, “Orange is the New Black.”

According to a report in Wednesday’s Wall Street Journal, the hackers demanded a ransom of $50,000 worth of bitcoins or they would post an unreleased episode of “Orange is the New Black” on New Year’s Day. The Larsons eventually paid up, but they’ve lost clients and revenue as a result.

Extortion is the New Hack, according to the report. And if people continue to give in and pay ransom demands, the attacks will not only continue; they will get worse.

“All it takes is one or two of these to be successful—for a company to pay up on that kind of threat—and then it will be prolific,” said M.K. Palmore, an assistant special agent in charge with the Federal Bureau of Investigation.

Hackers stealing data for fraud and corporate espionage are so last year; now, hackers use extortion to get what they want from their victims.

Instead of simply stealing passwords or credit card data, or locking access to victims’ systems, as with ransomware, extortion hackers try to gain access to corporate secrets that they then threaten to make public if victims don’t pay.

These criminals use sensitive material in their efforts to force victims to go along quietly with the crime.

Charles Carmakal, vice president of cyber investigations firm FireEye Inc., says this kind of cyber crime is “more damaging and impactful to victim organizations than other types of theft of intellectual property.” He notes that in some cases, the extortionists are just bluffing.

The uptick in extortion cases began in 2015, said Carmakal. The number of cases more than doubled last year as hackers who previously sold stolen data realized that they could make even more money from extortion.

Likely targets for cyber extortion criminals:

  • Medical clinics, which hackers threatened with leaking patient information;
  • casinos, where they threatened to divulge client lists;
  • energy companies, where they’ve shut down systems and threatened to release business and employee data;
  • Hollywood studios, where they threaten to prematurely release shows and movies.

Extortion attacks are related to ransomware hacks, which renders computer files unreadable until a payment is made; hackers use similar techniques to access corporate data for extortion. Law-enforcement agents and private investigators say both types of attack are occurring more frequently.

A Grant Thornton survey of more than 2,600 executives found that 17% of cyber attacks in 2016 involved blackmail or extortion, including ransomware attacks, versus 12% resulting in outright theft of customer data and 11% theft of other intellectual property.

“We’re finding an increased incidence in the amount of illegal demands or threats, extortion, blackmail in various forms,” said Paul Jacobs, a leader with Grant Thornton’s cyber security group.

Hackers recently hit HBO, stealing programs and other information from the Time Warner TWX +0.11% unit’s computer systems. The criminals demanded an extortion payment of approximately $6 million to keep quiet, and HBO hasn’t paid them. As a result, the hackers have leaked unreleased episodes of HBO shows and other data, such as usernames and passwords used by HBO employees.

IT consultant Ted Thomas commented on the WSJ report, noting that he has watched the internet grow from its famous birth in the 1990s to what it’s become today. “Looking back, it strikes me that it was built to be hacked,” he observed.

Pointing out that the fundamental nature of the internet “is to be discovered, by the right people in the right way (for sure), but nevertheless… to be completely discoverable and therefore powerfully useful,” Thomas states that security is laughably lax.

“What the net does not do is force its users to securely authenticate their identity, location and intent at every step. The hackers who almost destroyed the Larson’s business– what if the first switch they reached demanded their credentials, and verified them, before even transmitting their first probe? They would have been shut down before starting because the law could have traced them.”

He goes on to say, “The Larsons are just people– one can’t expect them to be cyber hacking ninjas. This process will go on, and get worse until the net itself starts enforcing authenticated identity. The technology exists today– the will to implement it doesn’t … yet.”