Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Secure Multi-Cloud Environments

Improve cloud security and overcome complexity across multi-cloud environments.

Secure Mergers and Acquisitions

Control cyber risk for business acquisitions and dispersed business units.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

Online Extortion – Old Ways, New Tricks

admin 7 September 2015

Cybercrime and Dark Web Research

Online Extortion – Old Ways, New Tricks

Extortion is nothing new for organized crime. For centuries, gangs have been operating protection rackets and kidnappings to successfully extract ransom money from their victims. And as with many things in modern life, these old techniques have been successfully brought over to the cyber realm.

DDoS extortion

It is perhaps no surprise then that, relative to the age of the Internet, online extortion has been around for quite some time too. The threat of Distributed Denial of Service (DDoS) attacks unless a fee is paid has been known as a ruse for over a decade. Typically, revenue-generating websites such as online casinos and bookmakers have been targeted in the past with carefully balanced calculations to encourage victims to pay – not too much that it can’t be funded and just enough that it’s worth the loss to the victim. And yet it is still something we observe businesses suffering from today – a recent example is the recently very active “DD4BC”, who over the past few months has been reported as being active against multiple targets in Europe, the USA and as far afield as New Zealand and seemingly stepping up the size of their targets and the ransom demands to go along with it.

In the past, achieving DDoS attacks was the reserve of the technical elite, for example by using their own botnets to direct large amounts of traffic towards the intended target. These days, with readily available websites available on the criminal underground known as “stresser” or “booter” websites and criminals offering DDoS-for-hire services, almost anyone can launch these attacks.

Ransomware

In more recent times, we have observed the growing threat of the ransomware. These malicious programs can hold infected computers hostage by denying a user access to their system. Another even more wicked step in the evolution of these programs is so-called crypto-ransomware, which employs encryption algorithms to scramble a victim’s computer files before holding them hostage to their desperate victims. If victims do not pay their ransoms (and sometimes, even when they do) their files can be lost forever. The impact of this can be devastating for victims – for example the loss of irreplaceable family photos or critical business information such as client databases can be crippling if not backed up.

Although ransomware is thought to have been around for many years, it has only been in the past few years that the cybercriminals have really stepped up their game. In 2012, the Reveton “police ransomware” emerged and falsely informed infected users that the machine had been used for unlawful activity such as downloading pirated or child abuse material. Cunningly, Reveton ransom screens displayed logos from European and North American police forces to further scare their intended targets into paying up.

reveton
Fig 1. The Reveton malware. Source: softpedia.com

The architype for crypto-ransomware was the so-called Cryptolocker variant. It emerged in 2013 and introduced encryption to the equation, demanding payments be made through the use of virtually anonymous Bitcoin payments with the added incentive for victims to pay up in a specified timeframe or risk the ransom going up. Interestingly, this ransomware was observed as sharing infrastructure with the Gameover Zeus information-stealing malware, subsequently dismantled by an international law-enforcement effort in 2014. The suspected architect behind this malware was named by the FBI as Evgeniy Bogachev, also known by his online moniker of “Slavik”. Currently the reward for information leading to his arrest and/or conviction stands at $3m.

Fig 2. Crytpolocker. Source: adslzone.net

An FBI advisory from the beginning of this year noted an “uptick” in ransomware attacks and some new trends; infections coming from drive-by downloads as opposed to email attachments and payments increasingly being requested in Bitcoin as opposed to pre-paid cards. The advisory also noted the growing problem of mobile phone-based ransomware; as more and more users migrate to these platforms to perform computing tasks and the attractiveness of attacking these devices has increased for the criminals.

More recently the development of the variant “Cryptowall” has been observed, with further versions being released and functionality adapted to ensure its success. The FBI also released a recent advisory regarding the growing popularity the malware and the huge losses to victims (c.$18m) reported over a matter of weeks (April to June 2015).

Extortion hacking

Another form of online extortion can include the compromise of data from systems through hacking methods and then subsequent extortion demands to return the data.

“Rex Mundi” (Latin for “king of the world”), a group which emerged in May 2012, allegedly compromised the databases of a number of companies based in French-speaking countries. Some of the targets included Dominos Pizza Belgium, the Genevan Regional Bank and the group most recently released blood test results from French Labio laboratories. Generally, Rex Mundi notifies the victims of the breach via social media and threaten to make the data public unless a ransom is paid within a given timeframe. In the past, most of the group’s claims were assessed to have been legitimate.

In a set of incidents unfolding in the recent weeks, we have observed the emergence of another group calling themselves the “Russian Guardians”. This group have been reported by victims as following a similar, albeit slightly different attack methodology. Victims, generally server administrators, have reported finding virtual machine files wiped from servers and replaced with messages from the attackers. The messages indicate that the files have been stolen and stored safely but inaccessibly to the victim and demanding a variable ransom payment in bitcoins. Every message provides a unique bitcoin wallet into which ransoms are to be paid. Analysis of the bitcoin transfers from the public ledger indicate intentional obfuscation of the transactions using complex transfer patterns between multiple wallets, presumably part of the criminals’ efforts to hide their tracks.

The claims by the group that they had downloaded the files are unsubstantiated. To download images of virtual machines is a time-consuming process, especially when done remotely. It would be much easier for the attackers to delete the files and it is worth noting that at the time of writing we were not aware of any credibility to the claims that files would actually be returned.

With all of these incidents in mind, the problem of online extortion is clearly not one that is going away any time soon. As long as these methods continue to prove profitable, they will continue to be used against victims. We may not be able to specifically predict the attackers’ next steps, but what can broadly predict is that gangs will continue to develop their methods, work out new vulnerabilities and exploit them to make money.

In order to protect yourself from online extortion, there are a number of simple measures that can mitigate the risk:

–   Ensure files are appropriately backed up on standalone data storage;
–   Ensure operating systems and plugins are updated regularly;
–   Ensure you use an up-to-date anti-virus product from a reputable vendor;
–   Ensure you use strong passwords on all password-protected systems;
–   Avoid clicking on untrusted links or attachments;
–   Consider using ad-blocking software.