If You Think Ransomware Is Bad, You'll Hate Hackers' Latest Tool -- WSJ

This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (September 14, 2017).

After years of stealing data for fraud and corporate espionage, hackers increasingly are trying a new way to profit from their digital break-ins: extortion.

Hacks involving HBO and Netflix Inc. in recent months have shed light on the extortion threat, which law-enforcement officials and companies that investigate these digital break-ins say has been on the rise in recent years. Instead of simply stealing passwords or credit-card data, or locking access to victims' systems as with ransomware, extortionist hackers try to unearth corporate secrets that they then threaten to make public if victims don't pay.

Because the extortionists threaten to expose sensitive material -- embarrassing emails or intellectual property like unreleased movies and scripts, for example -- the crime can be "more damaging and impactful to victim organizations than other types of theft of intellectual property" said Charles Carmakal, a vice president with cyber investigations firm FireEye Inc. Adding to the insidiousness of cyber extortion, those targeted by such efforts often have a difficult time determining how much data the hackers really have -- and in some cases the extortion attempts are simply bluffs, he said.

FireEye first noticed the uptick in extortion cases in 2015, and observed more than double the number of cases last year as hackers who previously sold stolen data realized that they could make even more money from extortion, Mr. Carmakal said. Other extortionists work for political reasons or "for fame and glory," rather than money, he said.

Such attacks in the past year have hit medical clinics, which hackers threatened with leaking patient information; casinos, where they threatened to divulge client lists; and energy companies, where hackers have shut down systems needed for mining operations in an extortion episode and threatened to release confidential business contracts and employee data, according to FireEye.

Extortion attacks are a cousin of ransomware hacks, which renders computer files unreadable until a payment is made, and hackers use similar techniques to access corporate data for extortion. Law-enforcement agents and private investigators say both types of attack are on the rise.

In a survey of more than 2,600 executives, consulting firm Grant Thornton found that 17% of cyberattacks in 2016 involved blackmail or extortion, including ransomware attacks, versus 12% resulting in outright theft of customer data and 11% theft of other intellectual property. "We're finding an increased incidence in the amount of illegal demands or threats, extortion, blackmail in various forms," said Paul Jacobs, a leader with the Grant Thornton's cybersecurity group.

In the HBO incident, executives since July have grappled with hackers who stole programs and other information from the Time Warner Inc. unit's computer systems and demanded an extortion payment of approximately $6 million to keep quiet. The hackers have leaked unreleased episodes of HBO shows such as the comedy "Ballers," script notes for its hit show, "Game of Thrones," and other data such as usernames and passwords used by HBO employees. HBO hasn't paid any money to the hackers.

Such extortion incidents have served as a wake-up call to Hollywood studios, Mr. Carmakal said.

In many ways, Hollywood is an ideal target for hackers. Pre-released shows and movies get a lot of attention, especially for titles that have loyal fan bases. Hollywood studios work with a wide network of partners to create the finished product, and these partners are increasingly becoming targets, said James Aquilina, global digital forensics leader with the cyber investigations company Stroz Friedberg. "This information lifecycle is in many ways rife for exploitation," he said.

Jill and Rick Larson, who run a sound-mixing studio in Los Angeles, found out they were under attack from an email just before 8 a.m. last Christmas. The sender claimed to have taken over their systems and threatened to go public -- a risk not only to their studio but to its clients, including Netflix, which had hired it to work on "Orange is the New Black."

When technical staff checked the Larsons' computers, they found all information had been wiped except a brief ransom note. It felt like "you went into your house and it had not only been broken into, but there was nothing left," Mr. Larson said.

The hackers demanded ransom of 50 bitcoins, at the time about $50,000, or they would post an unreleased episode of "Orange is the New Black" on New Year's Day. They gave the Larsons just a few hours to respond.

As the back-and-forth between the hackers and the Larsons dragged on over the next few months, Ms. Larson became an expert in the digital currency, struggling to acquire enough because her broker would sell her only 1 or 2 bitcoins at a time. The hackers called themselves "The Dark Overlord." The next weeks felt "like we were living in one of the episodes of the TV shows we do," Ms. Larson said.

The Larsons eventually paid $50,000. Then the hackers tried to extort money from Netflix too, the Larsons said. At the end of April, the cybercriminals released 10 episodes of the show, ahead of their scheduled debut. Netflix declined to comment.

Mr. Larson said their studio has lost clients because of the attack -- costing as much as 15% of its quarterly revenue, the company estimates.

Investigators say other victims also are paying ransom demands, and that encourages further attacks. "All it takes is one or two of these to be successful -- for a company to pay up on that kind of threat -- and then it will be prolific," said M.K. Palmore, an assistant special agent in charge with the Federal Bureau of Investigation.

One group, tracked by cybersecurity investigators at FireEye began by demanding an approximately $50,000 payment from casinos and energy companies in exchange for not publishing sensitive data. But their extortion fees have risen over the past year; Now they are demanding as much as $620,000, Mr. Carmakal said.

--Joe Flint contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

(END) Dow Jones Newswires

September 14, 2017 15:40 ET (19:40 GMT)