Fans of The Sopranos or Goodfellas are well-versed in the world of extortion. Whether it is paying off Tony Soprano or Paulie Cicero, the bad guys get their money. Cyber extortion is the digital version of what “wise guys” have been doing for centuries, and there are various tactics threat actors employ.

A large retailer experienced one of the most popular cyber extortion tactics when an executive received an email from a known attack group demanding a large sum of money to prevent a distributed denial of service (DDoS). If they failed to pay by the deadline, the ransom would increase over time. The retailer decided not to pay. What led to that decision and what were the results?

Cyber Extortion through DDoS

When executing a DDoS attack, threat actors set their sights on any organization that relies heavily on its website to generate revenue. This makes retailers ideal targets. The threat actor’s success depends on their capabilities and credibility. While the accessibility of off-the-shelf tools to execute DDoS attacks has lowered barriers to entry, low-credibility, low-capability actors do exist. With business continuity, revenue and brand integrity at stake, navigating an extortion attempt can be agonizing.

To Pay or Not? A High-stakes Decision

Responding appropriately to a DDoS attack threat is impossible without understanding the legitimacy of the attack. There are three main steps that go into making an informed decision about whether to pay the ransom.

Step 1. Gather data from the extortion email – IP address, Bitcoin address (this is usually how the attacker demands payment), and unique strings – and launch an investigation. When it comes to our clients at Digital Shadows (now ReliaQuest), either our analysts help perform these types of investigations on their behalf, or in-house intelligence teams can utilize our Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) tool to perform the investigations themselves.

Step 2.  Assess if the actor is who they claim to be and understand their tactics, techniques and procedures (TTPs). At Digital Shadows (now ReliaQuest), we offer an intelligence repository of threat actors, TTPs and events to search against to help determine whether the actor has shown credible capability in the past to carry out a DDoS attack.

Security response planning

Figure 1: Search reveals vital context on threat actors for security response planning


Step 3. Based on the findings of the investigation, make an informed decision. In this case, the retailer took action to triage the incident and decided not to comply with the ransom demand. They never experienced a DDoS attack or future extortion demand.

Curious how this type of investigation actually unfolds? See how Digital Shadows (now ReliaQuest) SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) helps clients investigate digital risks such as cyber extortion and enables organizations to make an informed decision on mitigation: Test Drive SearchLight™ Free Here.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.