Ransom is the new black – the increasing trend of online extortion

I heard about this guy, walked into a federal bank with a portable phone, handed the phone to the teller, the guy on the other end of the phone said: “We got this guy’s little girl, and if you don’t give him all your money, we’re gonna kill ‘er.”

Did it work?

F**kin’ A it worked, that’s what I’m talkin’ about! Knucklehead walks in a bank with a telephone, not a pistol, not a shotgun, but a f**kin’ phone, cleans the place out, and they don’t lift a f**kin’ finger.

Did they hurt the little girl?

I don’t know. There probably never was a little girl — the point of the story isn’t the little girl. The point of the story is they robbed the bank with a telephone.

This is out of the opening scene of Pulp Fiction and clearly, it’s fictitious. Except for when it isn’t:

Notice of extortion

Brian Krebs reported on this a few months ago and it’s about as brazen as you’d expect online criminals to get; give us money or we’ll mess up your stuff. It’s the mob protection racket of the digital era only more random with less chance of getting caught and not as many gold necklaces (I assume). That one bitcoin is about $400 American dollars today so enough for a tidy little return but not enough that it makes for an unachievable ransom for most small businesses.

The worrying thing is though, this is just part of a larger trend that’s drawing online criminals into the very lucrative world of extortion and we’re seeing many new precedents in all sorts of different areas of the online world. Let me show you what I mean.

Destroying a business via the web

Let’s say you have a hankering for a plate of lion meat one day (you heard me) so you do a Google search and find the perfect restaurant – but it’s shut on weekends. Bugger. So you go somewhere else as do all the other exotic food hunters looking for the king of the jungle with a side of fries. This was the fate the Serbian Crown in the US met with earlier this year (that’s a web archive link, do make sure your sound is turned way up to enjoy the full experience):

The Serbian Crown

You see, some enterprising soul had decided to take the initiative of creating a Google Places entry for the joint and misrepresented their operating hours:

It turned out that Google Places, the search giant’s vast business directory, was misreporting the Serbian Crown’s hours. Anyone Googling Serbian Crown, or plugging it into Google Maps, was told incorrectly that the restaurant was closed on the weekends

The point of all this is that when it comes to letters of extortion, attackers can actually be quite effective in carrying out their threats. They can destroy businesses to that extent that a Bitcoin or two to keep it alive suddenly doesn't seem like such a bad deal and that’s enormously worrying. But the spate of extortion we’ve seen this year goes well beyond mere threats to damage the victim’s business, increasingly the attacker already owns the target and now they’re talking ransom.

Corporate espionage and ransom

I’ve actually had this blog post in draft for a little while, adding pieces to it as new events occurred. The catalyst for completing it was this one:

Sony Hacked By #GOP

This was allegedly “on every computer all over Sony Pictures nationwide” today. The referenced zip file contains a couple of hundred meg of text files with file listings that look legit. If you take this at face value (and given they’ve demonstrated they had control of a number of Sony Pictures Twitter accounts that’s the safe assumption to make), that’s a huge amount of sensitive data they’re sitting on. Here’s just a snippet of what I found this morning:

Alleged file list from the Sony hack

It’s not clear what #GOP has demanded from Sony but what is clear is that they potentially have hold of a whole heap of very sensitive data there. At the time of writing, their deadline was going on half a day ago and there was still no mass release of data to the public so clearly it was an empty threat, right? Or did Sony pay up? Does anyone pay up? Apparently yes.

An extortion success story: Nokia

Earlier this year there was a report that in 2007, Nokia paid an extortionist “several million euros” for some encryption keys.  Holy crap does this business pay! Sometimes.

The problem in a case like this is that paying the extortion made good financial sense to Nokia. Had someone started to exploit those keys to sign packages with which could then be installed on their devices under Nokia’s identity, they could have taken a massive hit on consumer confidence at a time when they were just starting to lose serious market share.

Think extortionists are just targeting corporate entities? Think again, everyday consumers are getting hit too.

The mechanics of the iCloud “hack” and how iOS devices are being held to ransom

It’s not just the big guys getting hit with ransoms, every day consumers are getting pinged by attackers too. Back in May I wrote about this:

iPhone hacked by Oleg Pliss

This especially hit unsuspecting Aussies for reasons which weren’t apparent at the time, but later turned out to be as a result of phishing pages which inevitably had a penchant for targeting those of us down under. Whilst this was often reported as being malware, there was no “ware” to it, rather it was a case of the attacker simply using the “Find My iPhone” feature to remotely lock the device and when no lock screen PIN existed and set one of their own. You got the PIN once you paid the cash. It was ingeniously simple.

Of course consumers have been hit with ransoms before, CryptoLocker is a perfect example of this. You get malware via one of the usual means, all your things get encrypted and then the attacker demands money to release the private key to you. That’s another one that has been quite effective down here with a particularly high profile case of a doctor’s surgery being hit a couple of years back.

A seemingly endless stream of ransoms

Ransoms seem to be really hitting their straps as of late. Beyond all the cases above, there are incidents like Dominos in France back in June with the hackers demanding €30,000 and speculation rife both about it having been paid and rejected. Probably only Dominos and the attackers know for sure.

The month after that it was the European central bank getting hacked and allegedly threatened by an extortionist.

A month later again and Android phones are accusing people of liking their pets just a little bit too much and demanding cash lest you be reported to the FBI who are apparently interested in such things.

Just last week it was the city of Detroit getting owned with attackers wanting a couple of thousand Bitcoins for their troubles. Detroit of all places! Aren’t they the ones in financial dire straits?!

Ransoms will increase because they make good sense

Think about it: you don’t have to come face to face with anyone as in the extortion rackets of old, you can run the whole gig from your office / bedroom / dungeon, there’s more and more connected stuff with more and more vulnerabilities, we’re both personally and professionally more dependent than ever on online services and best of all, we’ve got easy access to crypto currency for when victim's pay up!

Well actually, even better than that (for the attackers at least) because it makes good financial sense for victims to pay because in many cases the attackers have done a damn good job. That’s not an endorsement of the ethics of the whole thing, rather an observation that in many of these cases, they’ve actually left the victim with little choice: pay or be seriously inconvenienced. They’re making the return on investment too attractive to say “no”, and that’s an extremely worrying trend.

It’s even better than walking into the bank with a phone, these days you just send an anonymous email.

Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals