Scott Heiferman received a disturbing email one recent Thursday morning that he quickly realized would have ripple effects for his company’s 16 million users.
The author of the message offered to stop a looming cyber attack on social networking site Meetup.com in exchange for $300. Instantaneously, the Meetup.com’s servers were bombarded with enormous levels of traffic that brought its services down.
Heiferman is among the latest victims of mafia-style extortion tactics increasingly being carried out by sophisticated cyber criminals who conduct DDoS attacks or hold sensitive data hostage until they are paid a ransom that can range between hundreds and millions of dollars.
“It sounds exactly like something out of the 1920s and the extortion racket. Now it’s being played out in cyberspace,” said Carl Herberger, vice president of security solutions at Radware (RDWR).
Unlike many victims, Heiferman’s company decided not to pay off the hackers, and his site was knocked offline for about 24 hours.
“We live in a world where criminals can make extortion threats against an organization like ours and temporarily frustrate millions of people,” Heiferman said in a blog post detailing the incident earlier this year.
‘Sophisticated and Well-Armed’
Cyber extortion has been carried out at various levels of intensity over the past decade, with distributed denial of service attacks (DDoS) as the preferred weapon for the bulk of that time.
In these kinds of attacks, hackers flood websites of businesses small and large with unreasonable amounts of traffic that overwhelms servers and knocks out service. The criminals then offer to thwart the attack in exchange for a fee, essentially extorting business owners.
“It’s brute-force type of attack. The level of sophistication to carry out the attack is pretty low. Any run-of-the-mill cyber criminal could do it,” said Greg Martin, CEO of cyber startup ThreatStream, raised $4 million from Google’s (GOOG) venture capital arm.
Online project management software maker Basecamp was hit by a DDoS extortion late last month that shut down access to its website.
“These criminals are sophisticated and well-armed,” the company said in a blog post.
Ransom Payments Mulled
Both Basecamp and Meetup refused to give in and pay the ransom, turning to security experts for help instead.
“We believe if we pay, the criminals would simply demand much more. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world,” Heiferman of Meetup explained in his blog post.
However, security executives said many other victims are paying to make the problem go away.
“What choice are companies left with that don’t have a lot of resources or time?” asked Herberger. “The number is fairly non-objectionable to the victim so they just pay it. They are trying to get the victim to run a cost-benefit analysis in their head.”
Insurance giant Chubb (CB) keeps The Ackerman Group, which is run by a former CIA official, on retainer to handle complex cyber extortion situations.
“In any extortion or kidnapping, you assume it’s a negotiation,” said Mike Ackerman, president and CEO of the firm.
Ackerman said his clients have faced six, seven and even eight-figure ransoms to resolve serious cyber extortion. His firm often suggests scripts to negotiate with extortionists that are then approved by the client.
Ackerman’s firm is contractually obligated to respond to cyber extortion claims by holders of Chubb’s cyber insurance policy, an increasingly fast-growing area of the insurance world. Depending on the policy details, Chubb would then reimburse the victim company for its costs to retain the specialist and potentially related ransom payments.
Ackerman said the aim is to ensure the company does not lose “precious” information and the criminal is arrested. “That’s our goal and what we strive for. We have been generally successful,” he said.
Hackers Deploy ‘Ransomware’
The threat of cyber extortion has become more serious amid the recent rise of so-called “ransomware”-- sophisticated forms of malware like CryptoLocker that are designed specifically for this type of crime. These malicious programs scour computers for important documents like PDF files and then use extremely strong encryption methods to lock users out of these files until a ransom is paid.
In the past few weeks, cyber researchers have sounded the alarm about a far more dangerous type of automated ransomware known as CryptoDefense. After infecting laptops with trick emails, CryptoDefense automatically encrypts all files and demands a $500 ransom payout that rises to $1,000. The malware then destroys the key if no ransom is paid within one month.
“The files will never be recoverable. There is nothing you can do. Not even the best cryptologists in the world can feasibly break this kind of encryption. That’s what’s so frightening,” said Martin.
In a blog post, security company Symantec (SYMC) said it has blocked 11,000 unique CryptoDefense infections in over 100 countries in just the past month alone. Symantec believes the criminals behind the malware have earned over $34,000, largely through Bitcoin ransom payments.
Martin, a former consultant to the Secret Service and FBI, said the cyber security community was recently buzzing about a local police department that was hit by CryptoDefense and forced to pay a ransom. Martin declined to name the police department.
It’s not always clear where cyber extortionists reside, but security executives believe many of them are from Russia and former Soviet countries where there is little appetite from law enforcement to intervene.
A spokesperson for the FBI said these types of attacks are “on our radar.” Between October 2012 and June 2013, the FBI and the Department of Homeland Security released nearly 168,000 IP addresses of computers believed to have been infected with DDoS malware.
“These actions have enabled our foreign partners to take action and reduced the effectiveness of the botnets and the DDoS attacks. We are continuing to target botnets through this strategy and others,” Richard McFeely, executive assistant director of the FBI’s criminal, cyber, response and services branch, said in Congressional testimony last year.
Security executives said businesses and individuals need to be vigilant about protecting themselves against malware.
“Don’t open attachments on your email that look suspicious. Basic security 101 stuff,” said Martin.