Ransomware. It’s one of those terms that most people have heard of by now, whatever their level of interest or deliberate engagement with the world of cybersecurity. It was arguably the WannaCry ‘ransomware’ attack in May 2017 that brought the topic out of the shadows and into the light. Yet ransomware has a clear definition and one that, in a world of growing digital complexity, matters.
Without being reductive, the language we use in any facet of life and industry directly correlates to and impacts our ability to discuss, inform, engage and overcome barriers we collectively face. In this instance, the relegation of ransomware to seemingly mean ‘any aspect of cybercrime involving extortion’ simply doesn’t enable us to frame, police and take action against it and other even more malicious forms of cybercrime.
The technical term ‘ransomware’ is best summarized as a “subset of malware in which the data on a victim’s computer is locked – typically by encryption – and payment is demanded before the ransomed data is decrypted and access is returned to the victim.” It’s become the de facto label for a well-established, not to mention profitable, corner of the cybercrime ecosystem. Yet increasingly, we’re seeing attacker groups shift to attacks that don’t use malware and are simultaneously more aggressive and more simply done. For example, we’ve seen an increase in so-called ‘double extortion’ attacks, which use public websites that list and threaten victims and their stolen data to coax them into caving to demands.
At the beginning of 2020, Orange Cyberdefense initiated a project to track and document these instances, and even we were shocked. We observed a 53% increase in global double extortion leaks from 2020 to 2021. In 2021, we tracked 2296 distinct leaks across 53 different extortion operators, whose leak sites we could observe. With cyber-criminals visibly extorting approximately 191 new victims each month since the start of 2021 (for just this observable aspect of the problem), the scope of the problem is almost overwhelming.
Yet ‘ransomware’ refers to a form of malware sometimes used to underpin this kind of crime, not the form of the crime itself. The crime in question doesn’t depend on this kind of malware either. Given this shift away from malware to simple data theft or denial of service (DoS), the use of the term ransomware doesn’t cover the actual crimes being committed, from access to computers, theft of data and ultimately, some kind of extortion.
We propose using the term ‘cyber extortion’ (abbreviated to Cy-X ). Additionally, we propose a simple but useful definition, both to those in the IT and security worlds and to law enforcement who have to monitor, counter and prosecute these malicious acts:
“Cy-X is a form of computer crime in which the security of a corporate digital asset (confidentiality, integrity or availability) is compromised and exploited in a threat of some form to extort a payment.”
Words, Words, Words…
This definition and the more regular use of such terminology enable us to identify the problem and its solutions better. As you’d expect, there is no one-stop-shop, quick-fix for the issue of Cy-X. However, we can (and do!) apply the criminal theory of routine activity theory (RAT) – developed by criminologists Cohen and Felson in 1979 – to Cy-X and derive a better-formed understanding of the crossroads where victims and perpetrators meet and online crime occurs (or is likely to).
Firstly, we need a motivated offender (the initial access broker, affiliates and operators who access and steal data). Secondly, we need a suitable victim (whether an individual or an entity). Finally, we need a lack of capable guardians – whether security services, cybercrime experts or wider society (other people). There are Cy-X equivalents to a real-world (offline) crime, where a thief trespasses, burgles and then extorts over the return of something of value to the victim. In this example, the online and offline preventative actions are nigh-on the same: reduce the offender’s motivation, minimize the suitability and visibility of potential victims and maximize the availability and efficacy of suitable guardians.
In essence, overcoming the growth of Cy-X is a circular process with no beginning. Yet, as an industry, we must start somewhere. A coordinated law enforcement approach to Cy-X, now we have identified it as a separate issue to ransomware, can limit the flow of funds from victim to perpetrator, which is the single biggest motivation for offenders.
As experts, we can also limit the attractiveness of victims by reducing the attack surface available, raising awareness of poor security hygiene, and encouraging the use of encryption or honeytokens to make digital assets harder to crack. The role of guardians (the online ‘police’ in this example) is very limited in cyber space’s vast spread. It’s still a wild west, and community-led approaches to online security are more effective than any silver bullet.
Whatever the name we give what we dub Cy-X – the goal is clear for 2022. Identify our weaknesses, leverage our resources and motivate our people to work together to improve our overall resilience. Words will matter in this fight, so we’re all united against the same enemy and their myriad methods of exploiting the vulnerable online.