Corvus Insights Blog | Smart Cyber Insurance

What Is Data Extortion and How Does It Happen?

Written by Corvus Team | 10.12.22

Welcome to our (cybersecurity) campsite, where even the forest is going digital. We’ve got the essentials: a warm fire, marshmallows to toast, and some very passionate horror enthusiasts. What’s a cool, fall night in the woods without the retelling of a cybersecurity nightmare? This time, we’ll be following a data exfiltration attack at Parakeet Incorporated, a research-driven pharmaceutical company.

While they are a fictional organization, their experience is based on (very) real-life incidents. By sharing these stories, we can take with us everything they did right, and learn from where they fell short.

 

What is Data Extortion?

 

Data extortion is a cybersecurity incident where personal or confidential data is stolen by an unauthorized user, and they demand a payment to prevent sensitive information from being publicized. 

In 2022, data breaches took an average of 9 months to identify and contain, according to IBM’s Cost of a Data Breach report. While many organizations go months without knowing that their sensitive data or personal information has been compromised — ultimately hearing the news from law enforcement or third-party vendors — what if you heard the news directly from the malicious actors who were responsible? Data extortion is an increasingly popular technique used by cybercriminals, thanks to the sheer value of sensitive, classified, or financial information. As ransomware actors face increased scrutiny from law enforcement, shifting to a data theft-only approach (without any encryption) may help them prolong their criminal career. 

With your organization’s reputation on the line (along with the threat of legal ramifications, costly investigations, and long-term recovery), preventing data exfiltration is a top-line security concern. It’s enough to send a shiver up your spine.

 

Set the Scene; Sound the Alarms

Parakeet Incorporated is situated right outside of the city, centrally located in a hub of tech and pharmaceutical companies. With glistening new construction, the entire infrastructure of their campus screams modern, sleek, and “we paid an architect a lot for this.” Parakeet Inc. employees are a smart and passionate bunch who connect to the mission of their company: healthier people are happier people.

Paige is one of the many employees at Parakeet that loves her work, although she stays away from the technical side of things. As the Chief Human Resources Officer, her passion is straightforward: community. And just like any day, she enters the building with a coffee in one hand, her phone in the other, and greets everyone she passes.

Once inside her office, she opens her laptop to check her email. The screen fills with unread messages — internal communications, meeting invites, and a standalone note from an external account she doesn’t recognize. Without much thought, she clicks into the email, where she finds an unexpected message. A ransom note boldly alerts her to an unfortunate reality of a security breach:

“We hacked your internal networks and took control over many systems. After spending weeks inside, we exfiltrated all we wanted.”

The next line directs her to a private URL, which permits negotiations between the threat actors and Parakeet. Paige does not click that link — she knows better than that (security awareness training!). Instead, in a frenzy, she reaches out to the IT team and security teams.

Also attached to the email? Samples of stolen data, primarily her employees’ personally identifiable information.

🔎 Cybersecurity Clue:

What makes this data extortion different from a traditional data breach? The demand for payment, in exchange for not publicizing sensitive or classified information. However, paying a ransom doesn't guarantee threat actors will follow through on their word.

The Breakdown of a Data Extortion Attack

Paige, members of the IT team, and a handful of executives receive an onslaught of emails and phone calls from the cybercriminals. They demand a ransom, and hang their collection of sensitive data over the entire organization’s head. While the outside of the building continues to glisten, the atmosphere inside has turned dour. 

Questions linger. How much data did threat actors steal, what data did they steal, how did they get past our cybersecurity measures to exfiltrate data, and how long does Parakeet have until this needs to be publicly disclosed? While the cybercriminals have promised to delete all sensitive data after the ransom is paid, Parakeet decides not to cooperate. Following their Incident Response Plan (IRP), they reach out immediately to their cyber insurance provider once Paige receives word of the breach. With their help, they began the process of working with a forensics team as well as legal counsel. Exposed personal data is no joke.

🔎 Cybersecurity Clue:

 As the investigation begins, Parakeet Inc. starts the process of working through parallel workstreams. In incident response, this is a great way to keep momentum going (as opposed to working strictly on a somewhat restrictive linear timeline). 

  1. How did it happen, and how bad is it?

    A third-party forensic team begins an examination of Parakeet’s IT systems.

  2. Stop the spread.

    As insights from the forensics team come in, Parakeet’s internal staff can begin to pinpoint specific security measures to limit continued exposure.

  3. The big fix.

    After progress is made with containment, teams begin to work towards a common goal of recovery.

The Forensic Investigation and Response

Parakeet Incorporated saw the light at the end of the tunnel (eventually). But it wasn’t an easy ride there. So, what happened? And how did they make it out alive?

Forensic Results

  • Forensic experts were able to determine how threat actors obtained access to Parakeet’s systems. By exploiting a vulnerability in a public-facing application, they gained initial access to the network, where they proceeded to drop a “toolset.” By using software such as Cobalt Strike — intended for use by security professionals, but frequently abused by threat actors — cybercriminals were able to move laterally through Parakeet’s systems, gaining access to the most sensitive data. 

Guidance From Legal Counsel

  • Parakeet worked with a legal team to guarantee they were complying with notification laws to avoid additional regulatory fines. Data and privacy laws vary state-by-state, but most organizations can anticipate they’ll need to notify any clients or consumers whose PII has been exposed (this can range from addresses to social security numbers). 

Moving forward, strong security controls and cyber mitigation tactics are Parakeet’s best defense against future attacks such as data leaks, extortion, and even phishing attacks. A risk-based vulnerability management program and solid patch management could have helped prevent initial access completely. In addition, strong forms of multi-factor authentication (MFA) should be implemented wherever possible, especially on administrative or internet-facing accounts (think VPNs, email access, or anything with an online portal). These cyber risk prevention methods could serve as a deterrent or outright blocker for threat actors trying to compromise accounts. Last but not least, Endpoint Detection and Response (EDR) solutions are designed to detect security issues on individual computers. In the case of Parakeet, this could have helped flag some of the threat actors’ activities once inside the network. Regardless of the specific security tool used, organizations should always be on the lookout for large amounts of data moving out of the network.

 

 🗣️ TL;DR

For those who are easily spooked (or are the “read the last page of the book first” people), we’ll give you the summary. Parakeet Incorporated experienced a data breach, and threat actors alerted them to their dirty work in hopes of receiving a ransom payout. Parakeet did not pay the ransom, and worked with their cyber insurer to get the proper vendors to resolve the issue. We’d say it was a happy ending after all. 

 

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.