Three Tactics Behind Cyber Extortion

As explained in a previous blog, extortion is not new – it’s now just been applied to the digital world in many different forms. In fact, as our extortion whitepaper demonstrates, there are really three, high-level extortion tactics: the threat of distributed denial of service (DDoS), the threat of data compromise and the use of ransomware.


One of the most popular means to facilitate extortion is through DDoS attacks. The accessibility of off-the-shelf tools has lowered barriers to entry and actors have been encouraged by the increased media coverage.

Of course, the threat of DDoS will vary depending on the company and how critical the website is to generating revenue. Carefully orchestrated campaigns, such as the targeting of online florists around Valentines Day, allude to a more considered approach.

Not all DDoS extortion actors are made equal and are quite as sophisticated, however; much will depend on the capability and credibility of each threat actor. While there is certainly no shortage of low-credibility, low-capability actors, it would be remiss to ignore this threat with the memory of when Code Spaces went out of business.

Data Compromise

A second method of extortion is the threat to release compromised data. This method, of course, depends a lot on whether the target’s data has already been compromised.

Not so recently, in 2012, Rex Mundi allegedly compromised the databases of a number of companies based in French-speaking countries using this very approach. The group would then notify the victims of the breach via social media and threatens to make the data public unless a ransom is paid within a given timeframe. More recently, we have seen this tactic used by actors like Hacker Buba, Poseidon Group and Russian Guardians.


Lastly, it is important to touch on ransomware – that is, malware that restricts access to the computer system it has infected. In order to access to the restricted files, application or operating system, the malware demands that a ransom be paid before restoring access to affected resources.

At a high-level, the ransomware process is fairly standard; files are encrypted and the attackers, who hold the decryption key, will only allow the target to decrypt the files after the required BTC ransom is paid.

The development of ransomware is a cat and mouse affair; security companies release decryption tools, causing the malware to be updated and the cycle continues. The care dedicated to the development of the ransomware and its specific features will vary from variant to variant.

Ransomware process

Figure 1 – Typical ransomware processes

All this context is good and well, but the true value comes from understanding the tactics, techniques and procedures (TTPs) of these threat actors and aligning your security accordingly. Download our whitepaper to understand the specific motivations and TTPs that these various actors use. Armed with this situational awareness, you can better position yourself.

Previous Post
Open Source Intelligence versus Web Search: What’s The Difference?
Open Source Intelligence versus Web Search: What’s The Difference?

“I can get that from Google!” – is a common phrase that has been directed at me during my time ...

Next Post
Modern crimeware campaigns – two bytes of the cherry
Modern crimeware campaigns – two bytes of the cherry

To a Columbian drug lord, the most valuable commodity is probably cocaine. To many financially motivated cy...