Cyber risk gets personal: The emerging risk of data extortion

If risk managers can be sure of anything, it’s that cyber criminals will continue to evolve, adapt, and find new ways to attack corporate systems.

Cyber Extortion attacks are nothing new, but the threats being leveled by bad actors are becoming more pernicious. Hackers traditionally have encrypted organization’s networks with malware and in some instances stole data demanding a ransom in exchange for decryption keys and/or to prevent publicizing that stolen data. Whereas previously, actors were grabbing any data they could get their hands on, they now turn to well thought out and sophisticated attacks targeting highly sensitive information, threatening to publish this particularly valuable, sensitive, or private data if the sum isn’t paid. The perpetrators will start to publish this data – often on the dark web – unless those companies enter into negotiations to pay a ransom and keep their information out of the hands of even more cyber thieves. In addition to publication on the dark web, criminals are evolving their threats to include publication in media outlets and the public domain, and they aren’t afraid to put pressure on organizations to pay by reaching out directly to leadership and employees to coerce payment.

The sensitive data in question can run the gamut. It may be intellectual property that is key to a technology company’s success, or private patient data stored by a healthcare company, or the customer financial data collected by a banking institution. Criminals may also find files of individual employees that cast them in a bad light – an inappropriate photo or email – which could damage the reputation of the organization as a whole.

In some cases, such as in a recent attacks targeting file transfer protocols such as MOVEit and GoAnywhere, an extortion event can threaten any entity that has interacted with the system, including direct consumers of the software and vendors or business partners of those consumers, leading to potentially widespread events. In the case of the GoAnywhere attacks, data on 30 companies was stolen. More recently, threat actors responsible for exploiting MOVEit boasted data theft of up to 2500 companies. Widespread events like this, often result in massive sets of data being exfiltrated, but little thought or planning as to what is actually taken, a “smash and grab” event – get as much as you can as fast as you can.

To gather this valuable data, cyber criminals are often exploiting zero-day vulnerabilities – those vulnerabilities that are discovered and announced before a fix has been put in place. Until patches are applied, those criminals essentially have free reign over a company’s critical systems and data. Further, threat actors such as Scatter Spider are engaging in sophisticated phishing email campaigns, SIM Swapping, and other tactics to sidestep multifactor authentication. Hackers seeking big pay outs are targeting specific entities and are staying in the infiltrated systems longer, allowing them time to identify and collect the most valuable data. Here, it’s not the volume that gets the big pay out, but the data they find and steal.

Threat actors such as Scatter Spider are engaging in sophisticated phishing email campaigns, SIM Swapping, and other tactics to sidestep multifactor authentication.

Who is targeted?

What organizations are most likely to be hit by a data theft cyber extortion? Primarily, companies collecting large volumes of confidential data represent the most lucrative targets. The greater the sensitivity of the data, the greater the liability entities that store large set of particularly sensitive data of individuals beyond Social Security numbers or financial account information, hospitals for example that may store very private information like medical diagnoses, mental health diagnoses, or images or videos of individuals or entities that store large sets of information for business partners in highly regulated industries, such as medical research companies, financial institutions, or government, or companies that value intellectual property may find themselves a greater target than others. However, any company is vulnerable assuming bad actors can get to these types of highly sensitive information and exfiltrate. A small company, for example, may have information of significant value even if it is only a smaller set of files, documents, or images. What that data is and how accessible it is to bad actors is often the determining factor in whether or not an event will result in big payouts. An industry like healthcare, for instance, can be particularly vulnerable.

What can organizations do to protect themselves?

1. Clean up data regularly- Don’t keep information you don’t need, especially private information of vendors and customers. The more people impacted by a breach, the greater the notification costs, the bigger the potential class action lawsuit will be, and the more reputational damage will be incurred. It can be quite embarrassing for a company to have to notify dozens of entities about a breach with whom they haven’t done business in years. It is prudent to regularly sort the wheat from the chaff and ensure any unnecessary data is deleted.

2. Keep the Crown Jewels under lock and key - To the extent intellectual property or particularly sensitive or confidential information must be stored in a company’s network, ensure that the information is appropriately segregated, includes encryption at rest, and has limited ability to be accessed by those that have no business or appropriate reason to access. Enforce network segmentation and/or zero trust wherever possible.

3. Use strong multifactor authentication - Multifactor Authentication is a key resource in protecting data and an organization’s network. Many organizations have already implemented this critical security feature. Organizations should continue to implement Multifactor Authentication and should take steps to strengthen the authentication processes including among other things, using notification through mobile apps as opposed to text message authentications and requiring both a password or restricting Multifactor Authentication to only utilize number matching.

4. Build an incident response plan - While cyber extortion attacks are still frequent, more and more events are becoming less impactful. Businesses have become adept at preparing for, responding to and recovering from these incidents to the point where most victims don’t even pay the demanded sum.

That’s because businesses quickly developed incident response plans so that everyone in the chain of command knows what their job is, who needs to be notified of an attack, and how to continue business as usual while the situation is resolved, with minimal disruption to customers and vendors. Just as businesses create response plans for natural catastrophes, they need to craft detailed plans for potentially catastrophic cyber events.

The role of strong underwriting in mitigating risk

In 2020-2021, when ransomware attacks were pervasive, AXA XL’s underwriters sat down with clients to fully review cyber security measures and response plans to better arm insureds with tried and tested controls to prevent attacks and effectively recover from them. Insureds were forced to ask themselves tough questions about the state of their network and data security, the potential impact of a breach, and how they would bounce back. Underwriters essentially demanded more of insureds to make them more resilient and as a result many insured became more resilient.

The same will be true for the emerging risk of cyber extortion involving the theft of significant data. Underwriters will work hand-in-hand with clients to fully evaluate exposure and identify concrete risk mitigation strategies.

With proper data hygiene and strong response plans, cyber extortion events can quickly go the way of traditional ransomware attacks. When organizations are prepared, stand their ground, and know how to best protect data, these events can be beaten.

Authored by

• Christine Flammer, Team Leader for AXA XL in the Cyber, Technology & Media Liability claims
• Gwenn Cujdik, AXA XL, Manager of Cyber Incident Response Team, North America