What Is Cyber Extortion?

What is cyber extortion?

Cyber extortion happens when a bad actor hijacks your data, systems or website and demands payment to give the information, programs or site back to you. “This is when cybercriminals demand payment by threatening various attacks against the victim, such as data destruction, exfiltration and operation shutdowns,” said Mario Paez, the national cyber risk leader at the Marsh McLennan Agency. “The most commonly referenced attack is ransomware.” 

Ransomware attacks are increasing, and so are their costs. According to Sophos’ State of Ransomware 2024 report, the average ransom payment in 2024 was $2 million, up from $400,000 in 2023. Besides paying the ransom, recovering from such an attack is expensive, with average costs reaching $2.73 million. 

Although the ransom amount cybercriminals demand from your company may depend on the size of your enterprise, most businesses today are at risk and need to protect themselves from ransomware attacks. In fact, in 2024, 59 percent of businesses were hit by ransomware, reported Sophos. And businesses might not be able to operate until the threat is neutralized. That can mean paying criminals a lot of money to regain control of their systems. If you don’t think you’d have the financial means to pay the ransom, it’s even more important to prevent cyber extortion from happening in the first place.

Not all extortion attacks are ransomware, said Michael Geraghty, director of the New Jersey Cybersecurity and Communications Integration Cell. Extortion attacks can also include distributed denial-of-service (DDoS) attacks, data breach extortion and business email compromise (BEC) attacks. 

What are common types of cyber extortion?

Cyber extortion isn’t limited to one method. There are many ways hijackers can infiltrate your business systems and demand payment from you, including the following:

Malware

Ransomware is a type of malware — a malicious code or software inserted into a computer system to compromise it. The compromised areas may include data confidentiality, system operations or operating-system function. Often, malware isn’t detected right away and works for some time until someone using the system notices something amiss.

Ransomware also creates encryption keys that are necessary to regain access to the data or systems. The cybercriminal holds the encryption keys until their ransom is paid.

Distributed denial-of-service attacks

A DDoS attack sends an abundance of traffic and requests to a website until the site is overwhelmed and becomes unavailable. The cybercriminals infect a network of computers to send simultaneous requests to the target site, causing it to crash. This type of attack is often executed in coordination with other cyber intrusions. 

“For DDOS, threat actors will often use unsecured IoT devices or systems to create a botnet that can be used to send large volumes of network traffic to a victim’s network, thereby making it unavailable to users for legitimate purposes,” explained Geraghty. “Retailers are commonly threatened with DDOS attacks around the holiday shopping season that could adversely impact sales, unless they pay a ransom.”

Phishing

In a phishing attack, hackers pose as a trusted email sender to gain access to information. If the recipient is fooled and follows links requesting passwords and other private data, the hackers can see that data. Phishing is a common cybercriminal tactic, so businesses should train employees on how not to spot phishing schemes.

Corporate account takeover (CATO)

CATO happens when a hijacker impersonates a business’s website or email to request wire or ACH transactions. Funds are sent to an account that looks legitimate but is actually controlled by the hijacker. Companies with minimal control over online banking systems are particularly vulnerable to this type of attack. BEC attacks are also forms of CATO. 

How does cyber extortion work?

Cyber extortion starts when a hijacker gains access to your computer systems. They look for weak points in your security or hack passwords to gain entry. Similarly, email-based attacks like BEC use social engineering to trick targets into complying with extortionary attacks, said Geraghty. Once in the systems, the hijacker often deploys malware known as ransomware or carries out a data breach. After gaining control of the systems, they make demands for money before allowing the business to regain access. 

Who is susceptible to cyber extortion?

Any business with digital operations or storage is susceptible to cybercrimes, including cyber extortion. Because malware is easy to install, cybercriminals don’t have to work very hard to execute the attack.

Here are some business types and professionals that are especially at risk:

• E-commerce businesses: Companies that rely on websites to market and generate sales are highly susceptible to ransomware.
• Medical offices: A medical office that has files stored digitally is a target for data compromise and theft. [Get file management tips and software recommendations for secure file storage.]
• Sales teams and financial advisors: Those who use online customer relationship management (CRM) software, including client portals, are often prime targets. [Check out our picks for the best CRM software from reputable vendors that take security seriously.]

But the reality is that any business that relies on centralized digital operations and digital tools is vulnerable to hijackers.

What are the impacts of cyber extortion?

Cyber extortion has a huge impact on businesses and, in some cases, the general public. The Colonial Pipeline hack caused concern over possible gasoline shortages throughout the southern and eastern U.S., and then gas prices rose as the industry sought to deal with demand. Colonial Pipeline paid the ransom in part because it could not estimate how long it would take to identify and remediate its systems on its own.

For a small business, the impact of cyber extortion is significant. Verizon’s 2024 Data Breach Investigations Report indicates that the average cost of each data breach through ransomware or extortion is about $46,000. Plus, there is the cost of business operations being affected while your system is nonoperational. Your company may face a reputation hit, too, if the attack fosters the perception that your organization can’t be trusted. Paez also added that privacy liability, the costs associated with any litigation against an organization for not properly caring for their workforce’s personal information, is also damaging.

All in all, the cost of recovering from a cybersecurity occurrence for a small to medium-sized business varies from $826 to $653,587, according to Verizon. That is money most small business owners simply don’t have to spare. If a business can’t handle the cost of a cyberattack, it may be forced to shut down permanently.

What are some examples of cyber extortion?

There are many public examples of cyber extortion in recent years.

• Dish Network: In 2023, satellite TV provider Dish Network experienced network outages following a ransomware attack that also affected data pertaining to 290,000 individuals, including former and current employees. A data breach notification submitted to the Maine attorney general suggests the company paid a ransom to regain access to its systems and secure the compromised data.
• Black Basta: This notorious ransomware group infected more than 100 companies in 2022 and 2023. They threatened to publicly release data from high-profile organizations, including the American Dental Association and Yellow Pages Canada.
• Costa Rican government: Over 30 Costa Rican public offices were hit by a ransomware cyberattack from the Conti group in 2022. The government estimates that the incident cost the country $30 million every day it worked to resolve the situation.
• Colonial Pipeline: In 2021, oil transport was halted until the company paid a $4.4 million ransom in bitcoin. Some of these funds were recovered in what was believed to be a Russian hacking scheme.
• Hive: In 2023, the FBI busted the Hive ransomware gang, which had extorted more than $100 million from more than 1,500 organizations over 18 months. 

How to prevent cyber extortion

Every small business is at risk of cyber extortion, and most can’t afford to pay a ransom. Because of this, owners should do everything possible to prevent a data breach. We recommend following these tips to help manage your cybersecurity risk:

• Maintain systems’ health. Make sure you have an effective firewall, and update your operating systems and software regularly. Use an up-to-date antivirus program as well.
• Back up, back up and back up some more. Regularly scheduled backups may seem redundant, but they ensure that you can get up and running again faster after a cyberattack. Without backups, you’re at the mercy of the hackers.
• Train your employees. Help your employees understand behaviors that can leave your business vulnerable to cyber risks. This includes teaching them to recognize (and avoid) phishing scams, skip public devices and internet usage unless a secure mobility system is available, and more. 
• Use smart internet protocol. Avoid clicking pop-up ads when you’re using business devices. These ads can contain malware that will slowly gain access to your system.

“No matter the size of your organization, it is crucial to adopt key controls to mitigate ransomware risks and improve cybersecurity posture,” said Paez. He recommended organizations implement the following:

• Multifactor authentication for remote access and administrator/privileged controls
• Endpoint detection and response (EDR)
• Secured, encrypted and tested back-ups
• Privileged access management (PAM)
• Email filtering and web security
• Patch and vulnerability management
• Cyber incident response planning and testing
• Cybersecurity awareness training and phishing testing
• Hardening techniques, including remote desktop protocol (RDP)
• Logging and monitoring/network protections
• End-of-life systems replaced or protected
• Vendor/digital supply chain risk management

How to respond to cyber extortion

Hopefully, you’ll never be in this position, but if your company is the subject of a cyber extortion attempt, there are ways to deal with it. “All organizations should have an incident response plan in the event they are the victim of any cyber incident,” said Geraghty. “But more than just having a plan, they need to practice it on a regular basis.”

Below, we explain how to handle a ransomware demand. Use this outline to craft a thorough incident response plan for your business. 

Upon discovery

Assuming you have cyber insurance, within 24 hours of becoming aware of the cyber extortion attempt, you should get in touch with your insurer to gain an understanding of your current level of coverage and what may apply to the situation. Also reach out to your lawyers and the local authorities — they’ll be needed to make sure your responses to the situation conform with relevant legislation.

If you have an internal IT team and are confident in their abilities, give them the responsibility for your company’s technical recovery from the incident. If you don’t have an in-house IT team or you’re not confident they are experienced and knowledgeable enough to manage the attack, bring in an external cybersecurity expert. Whoever’s in charge, their initial priority should be to investigate the breach. Instead of getting the company back up and running again, their immediate priority must be to secure your system. They should also ensure that any remaining intruders in your system are ejected and shut the virtual door to any further access attempts.

Some companies may opt to bring on an external communications and public relations team to develop a crisis communications plan. This team can handle inquiries from the media and manage corporate communications with customers who may have been affected by the attack. To keep your customers’ trust and satisfy the press, your communications during this time need to be clear, consistent and accurate.

The following week

Your insurer will investigate the circumstances surrounding the extortion attempt. Regulators may also want to do so, especially if the cybercriminals are threatening to release sensitive personal information, like medical records.

If you regularly back up data on secure and encrypted cloud services, your IT team and/or outside consultant can start to restore your systems and apps. That way your staff can use both for everyday business again. They should be able to successfully remove the malware from your network and change the passwords. [Read related article: Top Cloud Storage Services for Business]

However, the extortionist will likely be pressuring you into making a payment, often giving a deadline for your response. While they may follow through with the deadline, they’ll lose their main bargaining position if they crash your systems or delete your data. Consult with legal counsel and law enforcement when deciding whether to pay the ransom. There may be insurance and legal implications to doing so, but that may also be the case if you refuse to.

In the weeks after

By now, your IT team or cyber consultant should know what they need to do to prevent future breaches, and they’ll begin securing your computer network. As your business resumes normal operations, you need to decide how to defend yourself against future attacks. You might want to create a specific cybersecurity budget to pay for staff training and more robust network hardware.

Long term

Regardless of whether you chose to pay the ransom, the consequences of the attack are likely to continue for some time. Try to keep as much of the recovery team intact as possible while you strengthen your cyber defenses, repair financial and reputational damage, and maintain ongoing communications with authorities. If these key individuals can continue to assist you in securing your network and data from now on, it will be of long-term strategic benefit to you.

Also, the more you can prove that you took precaution in protecting your systems and are competent in your reaction to the attack, the better you’ll appear. That’s true for your insurers, law enforcement agencies, employees, and the public. You’ll want to work toward earning back any lost customer trust and proof of your accountability can help with that.

How cyber liability insurance can help

One way to protect your small business is to purchase cyber insurance, which is separate from general liability insurance. This type of business insurance will pay for the costs associated with restoring your system after a cyberattack. Coverage typically includes mitigation services that use backups to restore operations as soon as possible. Your insurer will also negotiate with the cybercriminals and pay for ransoms up to the policy limits.

Although you can’t prevent every attack, cyber liability insurance minimizes the impact of cyber extortion on your business’s bottom line.

Jeremy Bender and Kimberlee Leonard contributed to this article.