What Is Cyber Extortion?

What is cyber extortion?

Cyber extortion happens when a bad actor hijacks your data, systems or website and demands payment to give the information, programs or site back to you. Such ransomware attacks are increasing, and so are their costs. According to Statista, the average ransom payment in the second quarter of 2023 was $740,000, up from $328,000 in the first quarter. 

Perhaps that’s not surprising when you consider that in 2023, more than 72 percent of businesses worldwide were hit by ransomware, per Statista. Recovering from a ransomware attack is expensive, with bills reaching $165,520 for companies with revenues of $10 million or less, according to The State of Ransomware 2023 report from Sophos.

Although the ransom amount cybercriminals demand from your company may depend on the size of your enterprise, most businesses today are at risk and need to protect themselves from ransomware attacks. When cyber extortion occurs, a business might not be able to operate until it deals with the threat. That can mean paying criminals a lot of money to regain control of their systems. If you don’t think you’d have the financial means to pay the ransom, it’s even more important to prevent cyber extortion from happening in the first place.

How does cyber extortion work?

Cyber extortion starts when a hijacker gains access to your computer systems. They look for weak points in your security or hack passwords to gain entry. Once in the systems, they often insert a type of malware known as ransomware or create a distributed denial-of-service (DDoS) attack. As a result of this intrusion, the business owner, staff and customers are unable to use the affected systems as normal and risk their data being exposed.

After gaining control of the systems, the hijacker makes demands for money before allowing the business to regain access. 

What are common types of cyber extortion?

Cyber extortion isn’t limited to one method. There are many ways hijackers can infiltrate your business systems and demand payment from you, including the following:

Malware

Ransomware is a type of malware — a malicious code or software inserted into a computer system to compromise it. The compromised areas may include data confidentiality, system operations or operating-system function. Often, malware isn’t detected right away and works for some time until someone using the system notices something amiss.

Ransomware also creates encryption keys that are necessary to regain access to the data or systems. The cybercriminal holds the encryption keys until their ransom is paid.

Distributed denial-of-service attacks

A DDoS attack sends an abundance of traffic and requests to a website until the site is overwhelmed and becomes unavailable. The cybercriminals infect a network of computers to send simultaneous requests to the target site, causing it to crash. This type of attack is often executed in coordination with other cyber intrusions.

Phishing

In a phishing attack, hackers pose as a trusted email sender to gain access to information. If the recipient is fooled and follows links requesting passwords and other private data, the hackers can see that data. Phishing has become a common tactic among cybercriminals, and businesses should train employees on how not to fall victim to phishing schemes.

Corporate account takeover (CATO)

CATO happens when a hijacker impersonates the business’s website or email and requests wire or ACH transactions. Funds are sent to an account that looks legitimate but is actually controlled by the hijacker. Companies with minimal control over online banking systems are particularly vulnerable to this type of attack.

Who is susceptible to cyber extortion?

Any business with digital operations or storage is susceptible to cybercrimes, including cyber extortion. Because malware is easy to install, cybercriminals don’t have to work very hard to execute the attack.

Here are some business types and professionals that are especially at risk:

• E-commerce businesses: Companies that rely on websites to market and generate sales are highly susceptible to ransomware.
• Medical offices: A medical office that has files stored digitally is a target for data compromise and theft. [Get file management tips and software recommendations for secure file storage.]
  
• Sales teams and financial advisors: Those who use online customer relationship management (CRM) software, including client portals, are often prime targets. [Check out our picks for the best CRM software from reputable vendors that take security seriously.]

But the reality is that any business that relies on centralized digital operations and digital tools is vulnerable to hijackers.

What are some examples of cyber extortion?

There are many public examples of cyber extortion from recent years.

• Dish Network: In 2023, satellite TV provider Dish Network experienced network outages following a ransomware attack that also affected data pertaining to 290,000 individuals, including former and current employees. A data breach notification submitted to the Maine attorney general suggests the company paid a ransom to regain access to its systems and secure the compromised data.
• Black Basta: This notorious ransomware group infected more than 100 companies in 2022 and 2023 with the threat to publicly release data from high-profile organizations, including the American Dental Association and Yellow Pages Canada.
• Costa Rican government: Over 30 Costa Rican public offices were subject to a ransomware cyberattack from the Conti group in 2022. The government estimates that the incident cost the country $30 million every day it worked to resolve the situation.
• Colonial Pipeline: In 2021, oil transport was halted until the company paid a $4.4 million ransom in bitcoin. Some of these funds were recovered in what was believed to be a Russian hacking scheme.
• Hive: In 2023, the FBI busted the Hive ransomware gang, which had extorted more than $100 million from more than 1,500 organizations over 18 months. 

What are the impacts of cyber extortion?

Cyber extortion has a huge impact on businesses and, in some cases, the general public. The Colonial Pipeline hack caused concern over possible gasoline shortages throughout the southern and eastern U.S., and then gas prices rose as the industry sought to deal with demand. Colonial Pipeline paid the ransom in part because it could not estimate how long it would take to identify and remediate its systems on its own.

For a small business, the impact of cyber extortion is significant. A report from Kaspersky indicates that the average cost of a data breach is upward of $105,000 for small businesses. If this incident involves extortion, you could pay another $1,500 to $50,000 in ransom fees. Plus, there is the cost of business operations being affected while your system is nonoperational and the reputation hit your company may face if the attack fosters the perception that your organization cannot be trusted. Customers may decide to take their business elsewhere.

All in all, the actual cost of recovering from a cybersecurity incident ranges from $826 to $653,587, according to Verizon. That is money most small business owners simply don’t have to spare. If a business can’t handle the cost of a cyberattack, it may be forced to shut down permanently.

How cyber liability insurance can help

One way to protect your small business is to purchase cyber insurance, which is separate from general liability insurance. This type of business insurance will pay for the costs associated with restoring your system after a cyberattack. Coverage includes mitigation services to try working with backups and restore operations as soon as possible. Your insurer will also negotiate with the cyberattackers and pay for ransoms up to the policy limits.

Although you can’t prevent every attack, cyber liability insurance minimizes the impact of cyber extortion on your business’s bottom line.

How to prevent cyber extortion

Because every small business is at risk of cyber extortion and most can’t afford to pay a ransom, owners should do everything possible to prevent a data breach. We recommend following these tips to help manage your cybersecurity risk:

• Maintain systems’ health. Make sure you have an effective firewall, and update your operating systems and software regularly. Use an up-to-date virus protection program as well.
• Back up, back up and back up some more. Regularly scheduled backups may seem redundant, but they ensure that you can get up and running again faster after a cyberattack. Without backups, you’re at the mercy of the hackers.
• Train your employees. Help your employees understand the type of behavior that can leave your business vulnerable to cyber risks. This includes teaching them to recognize (and not fall for) phishing scams, to reply only to those who need information (rather than to all), and to avoid public device and internet usage unless they can use a secure mobility system. 
• Use smart internet protocol. Avoid clicking pop-up ads when you’re using business devices. These ads can contain malware that will slowly gain access to your system.

How to respond to cyber extortion

Hopefully, you’ll never be in this position, but if your company is the subject of a cyber extortion attempt, there are ways to deal with it. Below, we explain how to handle a ransomware demand.

Upon discovery

Assuming you have cyber insurance, within 24 hours of becoming aware of the cyber extortion attempt, you should get in touch with your insurer to gain an understanding of your current level of coverage and what may apply to the situation. Also reach out to your lawyers and the local authorities — they’ll be needed to make sure your responses to the situation conform with relevant legislation.

If you have an internal IT team and are confident in their abilities, give them the responsibility for your company’s technical recovery from the incident. If you don’t have an in-house IT team or you’re not confident that they are experienced and knowledgeable enough to deal with the attack, bring in an external cybersecurity expert. Whoever’s in charge, their initial priority should be to investigate the breach. Instead of getting the company back up and running again, their immediate priority must be to secure your system. They should also ensure that any remaining intruders in your system are ejected and shut the virtual door to any further access attempts.

Some companies may opt to bring on an external communications and public relations team to develop a crisis communications plan. This team can handle inquiries from the media and manage corporate communications with customers who may have been affected by the attack. To keep your customers’ trust and satisfy the press, your communications during this time need to be clear, consistent and accurate.

The following week

Your insurer will launch an investigation into the circumstances surrounding the extortion attempt. Regulators also may want to do so, especially if the cybercriminals are threatening to release sensitive personal information, like medical records.

If you regularly back up data on secure and encrypted cloud services, your IT team and/or outside consultant can start to restore your systems and apps so they can be used by staff again in the course of everyday business. They should be able to successfully remove the malware from your network and change the passwords. [Read related article: Top Cloud Storage Services for Business]

However, the extortionist will likely be pressuring you into making a payment, often giving a deadline for your response. While they may follow through with the deadline, they’ll lose their main bargaining position if they crash your systems or delete your data. Consult with legal counsel and law enforcement when deciding whether to pay the ransom. There may be insurance and legal implications to doing so, but that may also be the case if you refuse to.

In the weeks after

By now, your IT team or cyber consultant should know what they need to do to prevent future breaches, and they’ll begin securing your computer network. As your business resumes normal operations, you need to decide how to defend yourself against future attacks. You might want to create a specific cybersecurity budget to pay for staff training and more robust network hardware.

Long term

Regardless of whether you chose to pay the ransom and how you regained full control of your network and data, the consequences of the attack are likely to continue for some time. Try to keep as much of the recovery team intact as possible while you strengthen your cyber defenses, repair financial and reputational damage, and maintain ongoing communications with authorities. If these key individuals can continue to assist you in securing your network and data from now on, it will be of long-term strategic benefit to you.

Also, the more you can prove that you were diligent in protecting your systems in the first place and competent in how you reacted to the attack, the better you’ll appear to your insurers, law enforcement agencies and the public. You’ll want to work toward earning back any lost customer trust, and proof of your accountability can help with that.

Kimberlee Leonard contributed to this article.