1.2.1 CIA Triad

To create leverage, adversaries threaten one or more of the three security objectives for information and information systems, as defined by the Federal Information Security Management Act (FISMA) of 2002:

• Confidentiality

• Integrity

• Availability

Colloquially, these three objectives are known as the “CIA Triad,” based on their acronym.⁶ The CIA Triad was specifically designed for use by departments, vendors, and contractors of the federal government; however, it has been widely adopted by other organizations and the information security community itself. Although cyber extortion can violate any of the three CIA objectives, today’s adversaries most commonly threaten confidentiality and availability.

6. “Standards for Security Categorization of Federal Information and Information Systems,” National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, February 2004, https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf.

1.2.2 Types of Cyber Extortion

Cyber extortion attacks fit into one of four categories—exposure, modification, denial, or faux:

• Exposure: Threatens the confidentiality of information resources. For example, an adversary may steal data from a victim, and threaten to either publish or sell it unless a ransom is paid.

• Modification: Threatens the integrity of information resources. An adversary can modify key elements of an organization’s data, such as patient records or bank transactions, and demand a payment in exchange for restoring the original data or identifying the changes.⁷ This type of attack is rare at the time of this writing, but adversaries may decide to leverage it in the future, particularly if scalable modification tools are developed.

  7. “Enterprise Ransomware,” CyberCube, 2022, https://insights.cybcube.com/enterprise-ransomware-report.

• Denial: Threatens the availability of information resources. Ransomware attacks are the most common example of denial extortion. In these cases, an adversary encrypts a victim’s files and refuses to release the decryption key unless a ransom is paid. Distributed denial-of-service (DDoS) attacks have also been used by adversaries to create leverage for extortion.^8,9

  8. Lance Whitney, “How Ransomware Actors Are Adding DDoS Attacks to Their Arsenals,” TechRepublic, June 2, 2021, www.techrepublic.com/article/how-ransomware-actors-are-adding-ddos-attacks-to-their-arsenals/.

  9. Lawrence Abrams, “Ransomware Gangs Add DDoS Attacks to Their Extortion Arsenal,” Bleeping Computer, October 1, 2020, www.bleepingcomputer.com/news/security/ransomware-gangs-add-ddos-attacks-to-their-extortion-arsenal/.

• Faux: An attack that appears to be cyber extortion, but in fact is not. For example, the destructive “NotPetya” malware masqueraded as ransomware, but was actually designed to destroy the victim’s systems with no hope of recovery. (See Chapter 7 for more details on the NotPetya attacks.)

1.2.3 Multicomponent Extortion

Increasingly, adversaries use multiple forms of extortion in combination, in an effort to increase their chances of scoring a big payday. Starting in late 2019, the Maze group pioneered the “double extortion” trend, combining both ransomware and data exposure threats. The term “double extortion” refers to the use of two cyber extortion tactics in tandem, such as denial and exposure threats. This creates greater leverage for the adversary and can result in a larger payment from the victim.

Other groups such as RagnarLocker, Avaddon, and SunCrypt have combined DDoS tactics with traditional ransomware or data exposure threats.^11,12 For example, in an October 2020 attack on a home appliances company, the SunCrypt gang launched a DDoS attack against the victim’s network after initial ransomware negotiations stalled. According to a leaked transcript, the criminals wrote: “We were in the process on the negotiations and you didn’t show up so further actions were taken.”¹³

11. Lawrence Abrams, “Another Ransomware Now Uses DDoS Attacks to Force Victims to Pay,” Bleeping Computer, January 24, 2021, www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/.

12. Sean Newman, “How Ransomware Is Teaming up with DDoS,” Infosecurity Magazine, June 18, 2021, www.infosecurity-magazine.com/opinions/ransomware-teaming-ddos/.

13. Newman, “How Ransomware Is Teaming up with DDoS.”

We will discuss the expansion of extortion tactics in more detail throughout Chapter 2.

1.3.1 Operational Disruption

The short-term impacts of cyber extortion can include partial or complete disruption of normal operations. This is particularly the case when the adversary uses denial tactics, such as ransomware or DDoS attacks.

For example, Scripps Health, a California-based health system, was hit with a ransomware attack in April 2021 that disrupted access to electronic health records for nearly four weeks. During this time, many patients were diverted to other facilities, and non-urgent appointments were delayed.¹⁴ Later that summer, hackers affiliated with the REvil ransomware gang detonated ransomware at 1,500 organizations around the world, leveraging vulnerabilities in the popular Kaseya remote management software.¹⁵ As a result, the Swedish grocery chain, Coop, was forced to close hundreds of stores, causing food to spoil and leading to a significant revenue loss for the company.¹⁶

14. “147,000 Patients Affected by Scripps Health Ransomware Attack,” HIPAA Journal, June 3, 2021, www.hipaajournal.com/147000-patients-affected-by-scripps-health-ransomware-attack/.

15. Liam Tung, “Kaseya Ransomware Attack: 1,500 Companies Affected, Company Confirms,” ZDNet, July 6, 2021, www.zdnet.com/article/kaseya-ransomware-attack-1500-companies-affected-company-confirms/.

16. Lawrence Abrams, “Coop Supermarket Closes 500 Stores After Kaseya Ransomware Attack,” Bleeping Computer, July 3, 2021, www.bleepingcomputer.com/news/security/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/.

In a recent survey, more than one-fourth of the organizations surveyed reported that they had been forced to close their organization at least temporarily following a ransomware attack,¹⁷ and 29% were forced to cut jobs, according to security company Cybereason.¹⁸ Downtime statistics vary widely, but in the authors’ experience, partial recovery typically comes within two to five days; resumption of normal operations takes two to four weeks.

17. Ransomware: The True Cost to Business (Cybereason, 2021), p. 14, www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021.pdf.

18. Ransomware: The True Cost to Business, p. 12.

The good news (if you could call it that) is that 96% of ransomware victims were able to get some of their data back, either by restoring it from backups, using an adversary-supplied decryptor, or through another means, according to a 2021 survey conducted by security vendor Sophos. However, an important caveat applies: Victims that paid the ransom were able to recover only 65% of their data, on average. Only a mere 8% of victims surveyed were able to restore all of their data.¹⁹ Permanent data loss can lead to errors and cause extra work for many years in the future.

19. Sophos, The State of Ransomware 2021, p. 11.

Ransomware attacks can even put businesses out of business. In 2019, U.S.-based healthcare provider Wood Ranch Medical closed its doors forever after a ransomware attack encrypted all their patient data. “Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” wrote the practice in its final statement to patients. “We will be closing our practice and ceasing operations…”²⁰

20. Wood Ranch Medical, “Wood Ranch Medical Notifies Patients of Ransomware Attack,” September 18, 2019, https://web.archive.org/web/20191229063121/https://www.woodranchmedical.com/.

1.3.2 Financial Loss

Cyber extortion can have a devastating impact on a victim’s financial state. Losses typically accrue because of short-term disruption to the victim’s revenue generation process, expenses related to the investigation and remediation costs, and the ransom payment itself. For example, the global shipping company Maersk reported total losses between $250 million and $300 million after its IT infrastructure was suddenly wiped out in the destructive NotPetya faux ransomware attacks of 2017. The NotPetya malware destroyed the hard drives of infected computers. Although it appeared to offer a recovery option in exchange for a ransom payment, in fact the files were unrecoverable.²¹

21. Mike McQuade, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.

In this section, we discuss three common causes of financial loss in cyber extortion attacks: revenue disruption, remediation costs, and ransom payments.

1.3.2.3 Ransom Payments

Obviously, the cost of a ransom payment itself can dramatically impact a victim’s finances. The average ransom payment has increased enormously in just a few short years. Many ransom payments are never disclosed, so it’s impossible to know the full picture, but we can monitor trends based on information published by ransom negotiators, insurance companies, and cryptocurrency research firms.

The incident response firm Coveware reported an average ransom payment of $136,576 in the second quarter of 2021, based on an analysis of the cases in which it was involved in the payment process.²⁷ While this amount was down from the high reported by Coveware in 2020, it was a dramatic increase compared with the reported average ransom payment of $36,295 in the second quarter of 2019, and a mere $6,733 at the end of 2018.²⁸

27. Coveware, “Q2 Ransom Payment Amounts Decline as Ransomware Becomes a National Security Priority,” July 23, 2021, www.coveware.com/blog/2021/7/23/q2-ransom-payment-amounts-decline-as-ransomware-becomes-a-national-security-priority.

28. Coveware, “Ransomware Amounts Rise 3x in Q2 as Ryuk & Sodinokibi Spread,” July 16, 2019, www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread.

Cyber insurance firm Coalition reported an average ransom demand of $1,193,159 in the first half of 2021—an increase of 170% compared with the first half of 2020. (Note that a ransom demand is different than a ransom payment; adversaries often negotiate and agree to discounts of 50% or more, particularly when higher dollar amounts are involved.) Coalition noted that “Our data only accounts for incidents where the organization filed a claim and the losses were above the organization’s deductible,” further skewing the average losses to the higher side.²⁹

29. Coalition, H1 2021: Cyber Insurance Claims Report, July 2021, pp. 11–13, https://info.coalitioninc.com/download-2021-h1-cyber-claims-report.html.

According to Chainalysis, a cryptocurrency research firm, the average ransom payment rose significantly—from $12,000 in the fourth quarter of 2019 to $54,000 in the first quarter of 2021.³⁰ Their data is based on payments to known ransomware-linked wallet addresses.

30. Since the Chainalysis data is based on payments to known ransomware-linked wallet addresses, early reports tended to underestimate the actual value of ransomware payments. As more addresses are linked to known criminals over time, the value of known payments tends to rise. This analysis is also limited in that only certain types of cryptocurrency are traceable (the Chainalysis research includes Bitcoin, Bitcoin Cash, Ethereum, and Tether). More and more criminals are shifting to payments in Monero, because it is much more difficult to track.

The authors of this book can corroborate the trend toward higher ransom demands payments. When we first began handling cyber extortion attacks in 2016, ransom demands were typically a few thousand dollars. As adversaries increased their capabilities and reach, ransom demands ballooned. As we wrote this book in 2022, we were regularly seeing ransom demands that ranged from $750,000 to $5 million. Clearly, the landscape has changed.

Heads Up! Skewed Statistics

Throughout this book, we’ll share statistics related to cyber extortion. However, there are critical limitations to all existing studies on cyber extortion. In particular:

• Underreporting: There is no universal law requiring victims to report cyber extortion attacks (and even if there was, some would still choose to quietly attempt to sweep the incident under the rug). In some cases, the adversary deliberately publicizes a cyber extortion event. At other times, the impact is significant enough that the event becomes widely known (such as ransomware attacks on hospitals). However, many cyber extortion attacks are handled discreetly, without disclosure, and these cases may simply not be included in published statistics.

• Statistical bias: Many cyber extortion statistics are produced by security vendors, incident response firms, ransom negotiation specialists, and insurance companies. As a result, their sample set is limited to their own customers or customers of affiliates, and is not representative of a broad spectrum of cyber extortion victims. Trends reported may be a result of changes to the author’s business, and not a result of actual changes in the cyber extortion landscape. Confusingly, vendors often try to represent their reports as using a statistically valid sampling technique, and journalists will report their data as such.

As a result, cyber extortion statistics vary wildly and their accuracy is questionable. Savvy readers should take all reports and studies on cyber extortion with a grain (or perhaps a pile) of salt.

In this book, we will share statistics from the more reputable sources, and also endeavor to point out any obvious bias or limitations in these studies. We encourage readers to carefully consider the source of any cyber extortion statistics. There may be value in the information provided, but no report can fully capture the state of cyber extortion today.

Happily, there are indications that information quality and availability may improve in the future. Recently, lawmakers and regulators have enacted stronger and more standardized reporting for cyber extortion incidents, and for cybersecurity incidents more broadly. For example, the United States’ Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) established broad reporting requirements for “covered cybersecurity incidents” that occur within “critical infrastructure.” The U.S. government intends to analyze the data and publish reports and statistics regularly.^31,32

31. Davis Wright Tremaine LLP, “The Cyber Incident Reporting for Critical Infrastructure Act of 2022: An Overview,” May 20, 2022, www.jdsupra.com/legalnews/the-cyber-incident-reporting-for-6977192.

32. Amendment to H.R. 2471, “An Act to Measure the Progress of Post-Disaster Recovery and Efforts to Address Corruption, Governance, Rule of Law, and Media Freedoms in Haiti,” March 9, 2020, pp. 2464–2519, www.congress.gov/117/bills/hr2471/BILLS-117hr2471eah.pdf.

1.3.3 Reputational Damage

Victims of cyber extortion face a loss of trust, public image, and overall reputation that may lead to increased financial loss and decreased business. According to Cybereason, 53% of victims surveyed suffered brand damage as a result of a ransomware attack.³³ This outcome is especially likely to happen when the cyber extortion incident involves theft of sensitive data, which can result in permanent loss of privacy for the data subjects, who may be employees, customers, or patients.

33. Ransomware: The True Cost to Business, p. 9.

Criminals capitalize on the fear of reputational damage. For example, in a 2020 cyber extortion case handled by the authors, the Maze cartel emailed the victim’s leadership. Here is their threatening message:

First of all, we will sell the personal data of your employees and customers on the market, which will already bring us a profit. Then we will inform all your clients that their private information has been compromised. … But the biggest losses for you will be from the publication of data that has been downloaded from your servers. You will be sued by both your employees and your clients. After publishing on our news site, you will incur colossal reputational losses for your business. I think that many existing clients will refuse your services. In the future, finding new customers will be problematic, since it is unlikely that someone wants to provide their personal data to a company that cannot save them.³⁴

34. Email written by the Maze ransomware gang, August 2020.

Ransomware attacks often don’t make the news, particularly in industries where the public isn’t directly impacted. However, today’s adversaries frequently take matters into their own hands, threatening to notify data subjects even if the victim organization does not, in an effort to leverage the power of shame and embarrassment.

Modern cyber extortionists routinely launch data leak portals on the dark web, which they use to publish stolen data. More and more, cyber extortion events are widely covered by media outlets, in part due to increasingly sophisticated public relations efforts launched by adversaries. The result is greater potential damage to the victims’ reputations, which empowers the adversaries.

1.3.4 Lawsuits

Lawsuits have become a routine occurrence following a cyber extortion attack. This is driven by several factors:

• The dramatic increase in data exposure as part of cyber extortion cases. This increases publicity surrounding the crisis and can also trigger data breach notification laws, in addition to proactive cybersecurity regulations.

• Increasing numbers of experienced cyber attorneys and regulators who understand relevant laws/regulations and have experience responding to data breaches, business interruption, and related “cyber” topics.

• A proliferation of laws and regulations that specifically address data breaches, cyber extortion, and cybersecurity. Examples include Europe’s General Data Protection Regulation (GDPR), state-level breach notification laws in all 50 U.S. states, and industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Further adding to the risk are stipulations such as ransomware guidance released by the U.S. Department of Health and Human Services, which states that victims need to “presume” that a breach has occurred “[u]nless the covered entity or business associate can demonstrate that there is a ‘… low probability that the PHI [personal health information] has been compromised.’”³⁵

  35. “Fact Sheet: Ransomware and HIPAA,” U.S. Department of Health and Human Services, Office for Civil Rights, July 11, 2016, www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

Lawsuits may be filed by customers, patients, employees, vendors, shareholders, or any other party potentially harmed by the cyber extortion event. For example, Scripps Health experienced major disruptions to its operations and notified more than 147,000 patients that their personal information might have been stolen in its 2021 ransomware attack.³⁶ In the aftermath, patients filed multiple class-action lawsuits alleging that the health system was negligent and failed to appropriately manage risk.

36. Heather Landi, “Before Attacking IT Systems, Hackers Stole Information from 147K Patients, Scripps Health Says,” Fierce Healthcare, June 3, 2021, www.fiercehealthcare.com/tech/before-attacking-it-systems-hackers-stole-information-from-147-000-patients-scripps-health.

In a growing trend, plaintiffs are citing harm beyond the potential for identity theft and breach of privacy. After Universal Health Service (UHS) was hit with a ransomware attack in September 2021, patient Stephen Motkowicz filed a lawsuit because “the data theft delayed his surgery, which caused his employer-provided insurance to lapse and required him to purchase alternative insurance at a higher premium.”³⁷

37. Barry K. Graham, et al. v. Universal Health Service, Inc., Case 2:20-cv-05375-GAM, May 17, 2021, https://fingfx.thomsonreuters.com/gfx/legaldocs/bdwpkwqxqpm/HEALTH%20UHS%20DATA%20BREACH%20opinion.pdf.

Litigation, of course, can be expensive, time-consuming, and trigger negative media attention for years after a cyber extortion event.

1.4.1 Opportunistic Attacks

In an opportunistic extortion attack, the adversary’s strategy is not crafted with a specific victim in mind. Rather, the adversary maximizes their return on investment by casting a wide net and compromising victims that individually require a relatively low investment of resources. Typically, adversaries leverage automated tools such as phishing toolkits that can distribute malicious emails en masse, credential stuffing tools, vulnerability scanning software or services, and more. (We will discuss these entry methods in greater detail in Section 3.2.)

Victims may be any organization unlucky enough to have a vulnerability in a perimeter device, or an employee who accidentally clicks on a link in a phishing email. Organizations with slim budgets for cybersecurity are at higher risk, since they may not have the resources to patch vulnerabilities as quickly, roll out multifactor authentication, or implement comprehensive prevention measures like those described in detail in Chapter 10.

In the following case study, a veterinary clinic was completely shut down because of an opportunistic ransomware attack—without any manual interaction from the adversary.

1.4.2 Targeted Attacks

In a targeted attack, the adversary focuses on compromising a specific entity. Targeted cyber extortion can take on many forms, and typically involves significant investment by the adversary, such as extensive reconnaissance, resource gathering, malware customization, and other specialized activities.

Typically, adversaries target organizations that they perceive have enough revenue to pay their desired ransom demand. In addition, adversaries often target organizations that may be critically impacted by technology outages (such as hospitals, technology providers, or manufacturing companies) or hold highly confidential and/or regulated information (such as public-sector organizations, law firms, and professional services). This gives the adversary strong leverage to use during the extortion phase.

For example, Tesla was targeted⁴¹ in 2020 by a Russian cybercriminal gang that attempted to pay a Tesla employee to install malware for purposes of extortion. The criminals’ goal was to exfiltrate Tesla’s sensitive information and then extort the company for millions of dollars. In preparation, Russian agent Egor Igorevich Kriuschkov fostered a relationship with a Tesla employee using WhatsApp, and then flew to the United States to wine and dine him before making his pitch: install malware in Tesla’s environment in exchange for a large payment. According to Kriuschkov’s later indictment,⁴² the adversaries “had to pay US $250,000 for the malware, which would be written specifically for targeting [Tesla’s] computer network.” In addition, the adversaries planned to pay Kriuschkov $250,000 and the employee $1 million for their assistance.

41. Andy Greenberg, “A Tesla Employee Thwarted an Alleged Ransomware Plot,” Wired, August 27, 2020, www.wired.com/story/tesla-ransomware-insider-hack-attempt/.

42. United States of America v. Egor Igorevich Kriuchkov, Case 3:20-cr-00045, September 3, 2020, www.justice.gov/opa/press-release/file/1313656/download.

Although some adversaries deliberately target “big game,” this strategy has also led to high-profile news articles and law enforcement attention, which criminals perceive as a threat. After the swift U.S. response to the Colonial Pipeline oil supply attacks, a REvil affiliate cautioned, “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies.”⁴³

43. “Russian Hacker Q&A: An Interview with REvil-Affiliated Ransomware Contractor,” Flashpoint Intel (blog), September 29, 2021, www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor.

1.4.3 Hybrid Attacks

Many cyber extortion attacks are a hybrid of opportunistic and targeted attacks. For example, an adversary might send out thousands of phishing emails using an exploit kit and wait for victims to click on attachments. As the list of victims grows, the adversary can choose to actively engage with those who have high revenues or in specific industries such as healthcare (which has strong privacy regulations and stringent uptime requirements).

1.5.1 Managed Service Providers

Managed service providers (MSPs) provide technical services, support, and products for their customers. An MSP can be a perfect conduit for cybercriminals, since by design it has access to a multitude of organizations, and frequently uses standardized remote management software to connect to and manage all of its clients’ systems. An adversary with access to the MSP network could potentially use these same tools to connect to all of the targets simultaneously, steal files, or spread ransomware.

For example, on August 19, 2019, 22 Texas towns⁴⁵ were hit simultaneously with ransomware, one of the first large-scale attacks of its kind. The adversaries, who were said to be affiliated with the REvil ransomware syndicate,⁴⁶ carried out their attack by first compromising a Texas technology services firm that provided services to all 22 towns. The ransomware disrupted the cities’ abilities to provide building, driver, and contractor licenses; issue birth and death certificates; accept utility payments; and more.

45. Bobby Allyn, “22 Texas Towns Hit with Ransomware Attack in “New Front” of Cyberassault,” NPR, August 20, 2019, www.npr.org/2019/08/20/752695554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of-cyberassault.

46. Jake Bleiberg and Eric Tucker, “Texas Ransomware Attack Shows What Can Happen When Whole Towns Are Targeted,” USA Today, July 26, 2021, www.usatoday.com/story/tech/news/2021/07/26/texas-ransomware-attack-impact-cyberattack-cybersecurity-small-town-america/8090316002/.

The adversary demanded a “collective ransom” of $2.5 million in exchange for the decryptor.⁴⁷ Despite the massive impact on their operations, the victims reportedly did not pay the ransom, and instead recovered most of their data from backups. By September 7, 2019, about half of the towns were back to normal operations, while the rest struggled to complete their recoveries.

47. Ionut Ilascu, “Hackers Want $2.5 Million Ransom for Texas Ransomware Attacks,” Bleeping Computer, August 21, 2019, www.bleepingcomputer.com/news/security/hackers-want-25-million-ransom-for-texas-ransomware-attacks/.

This type of entry vector was not new. As early as 2016, the Dark Overlord cyber extortion group conducted an attack on multiple healthcare clinics, which was later traced back to an “inadequately secured” file in the cloud that contained passwords for all of the vendor’s customer networks.⁴⁸

48. “Quest Records LLC Breach Linked to TheDarkOverlord Hacks; More Entities Investigate If They’ve Been Hacked,” DataBreaches.net, August 15, 2016, www.databreaches.net/quest-records-llc-breach-linked-to-thedarkoverlord-hacks-more-entities-investigate-if-theyve-been-hacked/.

Over time, cyber extortionists discovered that many MSPs used identical passwords to manage all of their customer systems, and eschewed multifactor authentication, since it would have added complexity to their support processes. The criminals then ramped up their crime spree: At the end of August 2019,⁴⁹ REvil repeated its attack and compromised an MSP, encrypting the files of approximately 400 dental clinics. In November 2019,⁵⁰ the group encrypted files at 100 dental offices, by again compromising their MSP.

49. Brian Krebs, “Ransomware Bites Dental Data Backup Firm,” Krebs on Security, August 29, 2019, https://krebsonsecurity.com/2019/08/ransomware-bites-dental-data-backup-firm/.

50. Brian Krebs, “Ransomware at Colorado IT Provider Affects 100+ Dental Offices,” Krebs on Security, December 7, 2019, https://krebsonsecurity.com/2019/12/ransomware-at-colorado-it-provider-affects-100-dental-offices/.

Reputable MSPs quickly adapted, adopting multifactor authentication (if they hadn’t already) and more secure password generation and storage practices. Still, they remained a target, by virtue of their key role in the technology supply chain.

1.5.2 Technology Manufacturers

Cybercriminals have long known that by gaining access to technology manufacturers, they can distribute malware far and wide. This type of attack was famously used to deploy the destructive NotPetya faux ransomware, dubbed “the most devastating cyberattack in history” by Wired magazine, with estimated global damages of more than $10 billion.⁵¹

51. Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.

The NotPetya compromise began when cybercriminals gained access to an update server at a tax preparation software company, M.E.Doc, which was used by an estimated 80% of companies in Ukraine at the time.⁵² In April 2017, they installed a backdoor in the company’s tax preparation software, which was released to customers. Two more backdoored releases were deployed to customers in May and June. Finally, on June 27, the adversary modified the update server’s configuration and redirected customer traffic to an outside server, which was used to deploy NotPetya.

52. “Ukraine Cyber-attack: Software Firm MeDoc’s Servers Seized,” BBC News, July 4, 2017, www.bbc.com/news/technology-40497026.

As the malware detonated on victim machines, it spread rapidly to connected systems by leveraging the EternalBlue vulnerability and other methods. “To date, it was simply the fastest-propagating piece of malware we’ve ever seen,” stated Craig William, a spokesperson at Cisco Talos, which handled the investigation. “By the second you saw it, your data center was already gone.”⁵³

53. Greenberg, “The Untold Story of NotPetya.”

Fast-forward to December 2020, when a customer of SolarWinds, a popular remote IT monitoring and management software, discovered a backdoor in their network, which they traced back to SolarWinds’ Orion software.⁵⁴

54. William Turton and Kartikay Mehrotra, “FireEye Discovered SolarWinds Breach While Probing Own Hack,” Bloomberg, December 14, 2020, www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack.

An investigation determined that the attackers inserted malicious code into a routine software update that SolarWinds pushed to its customers.⁵⁵ The malware had been distributed in the SolarWinds product between March and June of 2020—meaning the adversaries had the opportunity to access customer systems for at least six months before they were detected. In all 18,000 SolarWinds customers (including Microsoft, Visa, Mastercard, Ford, Cisco, U.S. Secret Service, U.S. Department of Defense, and Office of the President of the United States, among many others⁵⁶) had installed the infected update.

55. Dina Temple-Raston, “A ‘Worst Nightmare’ Cyberattack: The Untold Story of the SolarWinds Hack,” NPR, April 16, 2021, www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack.

56. Mia Jankowicz and Charles R. Davis, “These Big Firms and US Agencies All Use Software from the Company Breached in a Massive Hack Being Blamed on Russia,” Business Insider, December 15, 2020, www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12.

Fortunately, SolarWinds was not publicly linked to a wave of ransomware attacks. Nevertheless, it illustrated how even today, adversaries can use technology vendors to gain a persistent foothold within their customers’ environments, enabling widespread data theft and arbitrary deployment of malicious software—both common precursors of a cyber extortion attack. This tactic has the potential to facilitate cyber extortion on a mass scale in the future.

1.5.3 Software Vulnerabilities

Cyber extortionists have targeted software, using vulnerabilities in these products or the products themselves as a mass distribution vector. For example, on July 3, 2021—the day before a major national holiday in the United States—the REvil cartel executed what was, at the time, the largest single ransomware deployment in cybersecurity history.⁵⁷ The adversary exploited multiple zero-day vulnerabilities in the Kaseya VSA on-premises remote monitoring and management system, used by MSPs around the world to remotely manage customer networks.

57. Associated Press, “Scale, Details of Massive Kaseya Ransomware Attack Emerge,” NPR, July 5, 2021, www.npr.org/2021/07/05/1013117515/scale-details-of-massive-kaseya-ransomware-attack-emerge.

By leveraging access to this software product, REvil was able to detonate its malicious software on more than 1,500 victim networks around the world (a total of more than 1 million individual devices, the group claimed). This included grocery stores, healthcare clinics, municipalities, and more. The criminals demanded $70 million to provide a decryptor for all of the victims. Eventually, the keys were released, reportedly due to an international law enforcement operation.⁵⁸

58. Dan Goodin, “Up to 1,500 Businesses Infected in One of the Worst Ransomware Attacks Ever,” ARS Technica, July 6, 2021, https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/.

Similarly, the Microsoft zero-day Exchange vulnerabilities of 2021 led to a wave of ransomware attacks—and fast. A patch released on March 2, 2021, addressed four vulnerabilities discovered in on-premises instances of Exchange. Almost immediately, cybercriminals began leveraging these vulnerabilities to install ransomware.⁵⁹ Similarly, in the aftermath of the Log4j widespread vulnerability announcement, extortionists such as Conti began exploiting vulnerable VMWare servers as an initial entry point.⁶⁰

59. “Ransomware Is Targeting Vulnerable Microsoft Exchange Servers,” Malwarebytes Labs (blog), March 12, 2021, https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/.

60. Vitali Kremez and Yelisey Boguslavskiy, “Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement,” AdvIntel, December 17, 2021, www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement.

In late 2021 and 2022, ransomware gangs such as Conti, BlackByte, and others began routinely exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.^61,62,63 Although Microsoft had previously released a series of patches, many victims had not successfully installed them, leaving organizations around the world vulnerable to attack.

61. Lawrence Abrams, “Conti Ransomware Now Hacking Exchange Servers with ProxyShell Exploits,” Bleeping Computer, September 3, 2021, www.bleepingcomputer.com/news/security/conti-ransomware-now-hacking-exchange-servers-with-proxyshell-exploits/.

62. Bill Toulas, “Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware,” Bleeping Computer, December 1, 2021, www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/.

63. Lindsey O’Donnell-Welch, “Vulnerable Microsoft Exchange Servers Hit with Babuk Ransomware,” Decipher, November 4, 2021, https://duo.com/decipher/attackers-infect-vulnerable-microsoft-exchange-servers-with-babuk-ransomware.

1.5.4 Cloud Providers

As organizations around the world shifted their technology infrastructure to the cloud, many had the unspoken expectation that cloud providers would be immune to compromise—a sentiment that cloud providers themselves encouraged.

Cyber attackers have since proved them wrong. Cloud providers, as a rule, invest heavily in securing their infrastructures, but adversaries (including cyber extortionists) have repeatedly found ways to sneak through the cracks. What’s more, due to cloud providers’ extreme uptime requirements and potential for storing large volumes of sensitive data, they are high-value targets.

For example, Blackbaud,⁶⁴ a cloud provider whose software is used by nonprofit organizations, charitable foundations, universities, and other organizations, was hit with a ransomware attack in May 2020. The company had approximately 35,000 customers in more than 60 countries, and boasted millions of users.⁶⁵ Blackbaud’s products included support for fundraising, marketing, analytics, and more—which meant their cloud platform was designed to store a vast range of sensitive information, including personal details, sensitive financial records, payment card numbers, and more.

64. Sergui Gatlan, “Blackbaud: Ransomware Gang Had Access to Banking Info and Passwords,” Bleeping Computer, September 30, 2020, www.bleepingcomputer.com/news/security/blackbaud-ransomware-gang-had-access-to-banking-info-and-passwords/.

65. Nicole McGougan, “Blackbaud Makes Good on Modern Cloud Promise,” Blackbaud Newsroom, April 26, 2016, https://web.archive.org/web/20210116124707/https://www.blackbaud.com/newsroom/article/2016/04/26/blackbaud-makes-good-on-modern-cloud-promise.

The criminals gained access to Blackbaud’s environment in February 2020, but did not detonate ransomware until May 2020. Blackbaud, in turn, did not notify customers until July—two months after the company detected the attack—when it released a statement notifying customers of a “security incident that recently occurred.” The cloud provider told customers that the company’s cybersecurity team had stopped a ransomware attack in progress, and stated that “the cybercriminal removed a copy of a subset of data from our self-hosted environment.” However, it assured customers that the stolen data did not include “credit card information, bank account information, or social security numbers.”⁶⁶

66. “Security Incident,” Blackbaud Newsroom, updated September 29, 2020, https://web.archive.org/web/20210429203816/https://www.blackbaud.com/securityincident.

Blackbaud went on to state that it had paid the ransom, with the assurance that any stolen data subset would be deleted. It also asserted that they had “no reason to believe that any data … was or will be misused; or will be disseminated or otherwise made available publicly.”⁶⁷

67. “Security Incident,” Blackbaud Newsroom.

The subsequent ripple effects were enormous. Hundreds—if not thousands—of Blackbaud’s customers launched investigations to assess the risk to their community’s data. In many cases, they determined that they were legally obligated to do so. For example, many healthcare clinics are regulated by HIPAA/HITECH, which states that “[a]n impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”⁶⁸ Cyber insurers grappled with the surge of investigations and claims.

68. “HITECH Breach Notification Interim Final Rule,” www.hhs.gov/hipaa/for-professionals/breach-notification/laws-regulations/final-rule-update/hitech/index.html.

On September 29, 2020, Blackbaud submitted a filing with the U.S. Securities and Exchange Commission (SEC) and disclosed that “further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.”⁶⁹ This new revelation further fanned the flames.

69. “Blackbaud, Inc.,” Securities and Exchange Commission, September 29, 2020, www.sec.gov/Archives/edgar/data/1280058/000128005820000044/blkb-20200929.htm.

In the months that followed, a wide range of organizations publicly announced that they were impacted—including the Boy Scouts, National Public Radio (NPR), the Bush Presidential Center, universities, nonprofit organizations, and more. Approximately 100 U.S. healthcare organizations publicly reported a data breach as a result of the Blackbaud attacks, affecting at least 12 million patients.^70,71

70. Paul Bischoff, “Ransomware Attacks on US Healthcare Organizations Cost $20.8bn in 2020,” Comparitech (blog), March 10, 2021, www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/#How_much_did_these_ransomware_attacks_cost_healthcare_organizations_in_2020.

71. This statistic may include duplicate entries, as it is a sum of reported data subjects submitted by each individual entity.

More than two dozen lawsuits were filed against Blackbaud, and customers that were victims of the breach were also sued by their members and patients.⁷² At the time of this writing, lawsuits are still ongoing.

72. “Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack,” HIPAA Journal, January 6, 2021, www.hipaajournal.com/rady-childrens-hospital-facing-class-action-lawsuit-over-blackbaud-ransomware-attack/.

The Blackbaud attack is a landmark case that illustrates how a cyber extortion attack on a single cloud provider can impact thousands of organizations and millions of individuals. Over time, cyber extortionists will likely evolve new ways to leverage cloud providers’ centralized platforms, and apply increasingly advanced extortion tactics that involve direct communication with customers.

Despite the flood of public notifications in the Blackbaud case, even more notable are the thousands of Blackbaud customers that did not report the breach to their own employees, clients, and customers, but were undoubtedly affected. While U.S.-based healthcare clinics may have been legally required to “presume” a breach had occurred, conduct a risk analysis, and report, organizations in other industries were not bound by such regulations. Many cash-strapped customers may have had insufficient resources to respond to Blackbaud’s notification, and simply ignored the issue.

As the cybersecurity industry and legal frameworks around the world continue to mature, expect more cloud customers to investigate and notify the public in the wake of cloud cyber extortion attacks.

Step 1: Build Your Victim

Choose one characteristic from each of the three columns to describe your victim’s organization:

Step 2: Choose Your Incident Scenario

Select from one of the following incident scenarios:

Step 3: Discussion Time

Your victim is experiencing a cyber extortion incident. Given what you know about the victim and the scenario, answer the following questions:

1. Which objective(s) of the CIA Triad does the cyber extortion attack threaten?

2. Which type of cyber extortion is your victim organization experiencing?

3. Describe the likely impacts that the cyber extortion incident may have on your victim organization in the following areas:

   1. Operations

   2. Finances

   3. Reputation

   4. Legal risk

4. The victim organization has researched typical ransom demands for the type of cyber extortion event it is experiencing and has found a very wide range, from $1,000 to $2.5 million. What is a reasonable explanation for this broad range of reported ransom demands?

5. The victim organization hears that hundreds of other organizations are currently experiencing a very similar cyber extortion attack. What is one possible explanation?