What is cyber extortion?

How does cyber extortion work?

Cyber extortion occurs when the attacker gains access to sensitive data on a victim's computer network or system through methods such as ad scams, phishing emails, infected websites and other techniques. The attacker might not be directly responsible for executing the attack. They can also use ransomware as a service or cybercrime as a service, where they hire skilled cyberattackers to perform the task on their behalf.

The type of attack used and how it is executed will differ depending on the goals of the attacker and the potential vulnerabilities of the victim. For example, in a DDoS attack, the cybercriminal typically threatens to carry out an attack if payment is not made. The attack process might start with the threat actor making an initial ransom demand and using a botnet to carry out a small-scale DDoS attack. Often, if the ransom is not paid, this will escalate into a large-scale DDoS attack. The threat is suspended once the victim pays the attacker, but if the ransom is not paid, the DDoS attack continues.

In a ransomware attack, a blackmailer encrypts the victim's files and offers to decrypt them only after payment is made, usually in the form of cryptocurrencies such as bitcoin. Ransomware attacks can be automated through malware distributed in emails, infected websites or ad networks. These attacks tend to spread indiscriminately, creating networks of infected computers. However, they can result in only a small percentage of victims paying the cyber extortionists. More targeted attacks can produce less collateral damage but provide more lucrative targets for the extortion attempt. Ransomware attacks can also leave an organization open to follow-up attacks through double extortion or triple extortion ransomware strategies.

Cyber extortion can happen to individuals and businesses alike, but small businesses are more likely to be targeted. While larger businesses might still be targeted for bigger potential payouts or because they are a target for nation-state reasons, they also typically have more resources they can dedicate to effective cybersecurity practices.

Smaller organizations commonly have fewer resources to implement effective cybersecurity practices, meaning they are like 'low-hanging fruit' to threat actors. Even though the payout might be less for smaller organizations, they might feel more pressure to pay the ransom, as the attack can be more crippling for them than for larger organizations. Smaller organizations might also be a gateway to access any connected larger organization.

Cyber extortion vs. ransomware

While cyber extortion and ransomware are related concepts, they are not the same.

Cyber extortion is a broader term that refers to the different techniques cybercriminals use to force victims to comply with their demands. It entails threatening or blackmailing individuals, businesses or organizations to obtain money or other valuable assets.

Ransomware is a specific type of cyber extortion that uses malicious software to encrypt a victim's files or lock them out of their systems. After encrypting the victim's files, the attacker demands a ransom in return for releasing the decryption key or regaining access to the infected systems. During a ransomware attack, the victim is frequently given instructions on how to pay the ransom and restore access to their data.

Types of cyber extortion

Today, businesses are being hit by the following types of cyber extortion and cyberthreats:

• Cyber blackmail. This occurs when cybercriminals breach a private network, steal valuable data and hold the information hostage. In 2017, hackers shared unreleased episodes of the Netflix series Orange Is the New Black when the streaming company did not pay the blackmailer. That same year, cyber extortionists threatened to release unaired episodes of Game of Thrones if HBO did not pay $5.5 million in bitcoin.
• Database ransom attacks. These involve hackers who identify and hijack databases that use vulnerable versions of MySQL, Hadoop, MongoDB, Elasticsearch and other computer systems. Attackers can exploit vulnerabilities if patching is not up to date or if default administrative passwords have not been reset. They sometimes replace the contents of a breached server with a ransom note requesting a payment in bitcoin to reinstate the data.
• DoS or DDoS attacks. These common cyber extortion methods affect access to servers and data. Cybercriminals launch attacks and demand payment to stop them, or they threaten an attack and demand payment to keep the attack from happening.
• Ransomware. Victims of ransomware find their devices infected with malware that prevents them from accessing those devices or the data stored on them. This happens when a user inadvertently downloads malware by opening infected email attachments, visiting a compromised website or clicking on a pop-up ad. To regain access, the victim must pay the hacker a ransom.
• Doxing. This is the act of intentionally disclosing or publicizing a victim's personal or private information, such as their home address, phone number or bank records, usually to cause harm or distress. If the hacker's demands are not satisfied, extortionists might make doxing threats against specific people or groups.
• Phone extortion. This entails the attacker threatening, during a phone call, to harm the victim or their loved ones until a payment is made.

According to a 2024 blog post that summarized the "Flashpoint 2024 Global Threat Intelligence Report," threat actors can employ the following techniques to pressure victims into compliance:

• Data encryption. Attackers encrypt a victim's data and then demand payment for the decryption key.
• Data extortion. Cybercriminals threaten to release or sell the stolen data unless a ransom is paid.
• Unethical disclosures. A threat actor exploits discovered vulnerabilities for financial gain.
• Data as a commodity. When commodified on the dark web, the value of stolen data is driven up. The stolen data could then be used to facilitate other attacks.
• Access brokers. In this scenario, unauthorized access to a system is sold to a threat actor, leading to a cyberattack.
• DDoS attacks. Attackers disable online services with overwhelming traffic and offer ransom demands to stop the attack.
• Physical threats. Physical threats of violence are made to the victim or the victim's family to further incentivize the payment of a ransom.

Effects of cyber extortion

Companies victimized by cyber extortion schemes suffer the effects of data breaches and loss of sensitive information. These can include damage to their reputation, lost customers and lost revenue. For example, if customers cannot access their preferred websites, they will likely move on to other companies that offer the same or similar products or services. In addition, hackers will use the threat of making a victim's trade secrets or intellectual property public or selling it to rival companies. That tactic is the motivation for a victim company to pay the ransom.

Cyber extortion attacks continue to threaten businesses of all sizes across the world. Some effects of recent cyber extortion events include the following:

• A ransomware attack on the Colonial Pipeline in May 2021 shut down the pipeline for days, causing fuel shortages and clogging air traffic. As a result, U.S. President Joe Biden proclaimed a state of emergency.
• In June 2023, a ransomware attack on the University of Manchester in Manchester, England, compromised the details of more than one million patient records that were part of a medical research project.

According to British cybersecurity company Sophos' "State of Ransomware 2024" report, 59% of organizations were affected by ransomware in 2023, and the average ransom payment increased from $400,000 in 2023 to $2 million in 2024.

For example, in 2023, LockBit ransomware caused serious problems for several well-known companies. Among those affected was a prominent dental insurance provider that exposed the sensitive information of approximately 9 million patients throughout the U.S. Additionally, a water utility in Portugal and the esteemed Royal Mail of the U.K. encountered substantial service disruptions because of LockBit attacks.

Customers whose data is made public as the result of a cyber extortion exploit or other type of data breach might be able to recover damages from the company. Under the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, financial and healthcare companies can be held liable for such disclosures, incurring hefty government fines.

Cyber extortionists might also have access to a victim's private information, such as personal photos or videos. These cyber attackers can demand payment to prevent them from sharing that information with contacts in the victim's email or social media accounts.

Preventing cyber extortion

Cyber extortionists are constantly searching for new vulnerabilities to exploit and new ways to threaten victims. Consequently, companies must be vigilant in their efforts to combat these exploits.

To reduce the risk of becoming a victim of cybercrime, organizations must enforce strong cyberdefenses. Best practices to reduce the risk of cyber extortion include the following:

• Back up and encrypt data. Develop strategies to back up and encrypt sensitive data and test recovery procedures regularly. Maintain regular offline, encrypted backups and store them in locations separate from networks in use.
• Authenticate. Use multifactor authentication and identity and access management systems.
• Update systems. Make sure all computer systems are updated and patched, including security systems.

• Educate and train. Provide employees with awareness training so they can identify phishing attempts to get them to click on malicious links, avoid posting sensitive data on social media sites and take other steps to reduce the potential cyber extortion attack surface.
• Have an incident response strategy. Companies should have an incident response strategy, along with test contingency and disaster recovery plans, to ensure recovery from a cyberattack.
• Set up strong security measures. Basic cyber hygiene is important to protect a business. This includes deploying firewalls and antimalware tools to identify and prevent malware intrusions, using up-to-date antivirus software for endpoint security, keeping all system software current with the latest patches, hardening internal network defenses, and limiting network access to disrupt threat actor activity.
• Implement risk analysis and management. Additional cybersecurity measures to mitigate cyber extortion attacks include following risk analysis and risk management programs that identify and address cyber-risks, reviewing audit logs regularly for suspicious activity, and remaining vigilant for new and emerging cyberthreats and vulnerabilities by participating in information sharing and by receiving alerts from the U.S. Computer Emergency Readiness Team.
• Cyber insurance. Organizations should consider buying cyber insurance to offset any costs if a cyber extortion incident does occur.

The Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury, has identified multiple red flag indicators of ransomware related to illicit activity in the financial industry. The organization alerts financial institutions to situations that can help them detect suspicious transactions and prevent incidents.

Cyber extortion cases

In addition to the 2017 cyber extortion attacks against Netflix and HBO, there are other notable cases.

In 2015, a hacktivist group calling itself The Impact Team attacked Ashley Madison, a hookup site for people who are married or in relationships. The attackers said they compromised the company's database, which held the personally identifiable information of 37 million users. Rather than asking for money, the group threatened to release the information if the company's owners, Avid Life Media (ALM), didn't take down two of its dating websites as punishment for defrauding its customers. The hackers claimed ALM did not remove the personal information of some customers, even though they had paid extra to have that information expunged. When ALM did not give in to The Impact Team's demands, the group leaked Ashley Madison's customer data.

In 2017, the WannaCry attack encrypted more than 250,000 systems using asymmetric encryption. The U.K.'s National Health Service was among the targets and had to take its systems offline. The threat actors demanded payment in bitcoin. It's unclear how many victims paid the ransom.

In 2019, threat actors attacked numerous state and local governments using Ryuk ransomware. According to the Center for Internet Security, ransoms ranged from $100,000 to $500,000 worth of bitcoin.

In December 2020 and again in January 2021, hackers accessed dozens of organizations' data by exploiting zero-day vulnerabilities of Palo Alto-based Accellion's file transfer application. Victims included supermarket chain Kroger, blue chip law firm Jones Day, Reserve Bank of New Zealand and Shell Oil. The methods used included Structured Query Language injection and server-side request forgery. The attackers sent emails to victims threatening to make their data publicly available.

Cybersecurity firm FireEye -- now Symphony Technology Group --revealed in December 2020 that hackers had made off with its Red Team tools, which could be used to launch sophisticated cyberattacks. U.S. officials believed that Russian intelligence agencies were behind the attack.

The SolarWinds attack was also disclosed in December 2020, revealing that the company's monitoring software had been compromised in the latter half of 2019 and was used to infiltrate and extort government agencies and private sector companies.

The ransomware attack on Colonial Pipeline in 2021 caused an eight-day shutdown of the 5,500-mile pipeline, which resulted in gas lines and shortages in New York and the Southeast. The Federal Bureau of Investigation (FBI) identified the attacker as DarkSide, a ransomware-as-a service group known to use double extortion tactics. Colonial Pipeline is reported to have paid nearly $5 million in bitcoin.

Since its discovery in 2022, Royal ransomware has been used in high-profile assaults against critical infrastructure, particularly hospitals. With the special partial encryption method used by this ransomware, the threat actor can select the precise portion of a file's data to encrypt, which reduces the encryption percentage for bigger files and aids in avoiding detection. In addition to encrypting material, Royal actors use double extortion strategies. Notable victims of Dev-0569, the group associated with the Royal ransomware, include Silverstone Circuit, the renowned racing circuit in the U.K.; Travis Central Appraisal District; a Texas government entity; and a major U.S. telecom provider that received a $60 million ransom demand.

Within the period of a month in 2023, there was a cyberattack on both Caesars Entertainment and MGM Resorts. Identity management vendor Okta confirmed that both mentioned customers were compromised using social engineering attacks. The MGM attack was attributed to the Alphv/BlackCat ransomware gang and another group called Scattered Spider. It is theorized these groups performed both the Caesars and MGM attacks. Caesars paid up to $15 million to Scattered Spider after they threatened to release company data, and MGM reportedly refused to pay the ransom, leading to significant operational interruptions.

In 2024, London Drugs was the victim of a ransomware attack by the LockBit group. According to the company, data from its corporate environment was exposed, including files from its finance and human resources departments, as well as employee information. No customer data was compromised, however. London Drugs set up a tool enabling employees to check if they were affected by the attack; if they were, they were offered a 24-month subscription for MyTrueIdentity credit monitoring and identity theft services, plus a $1 million reimbursement insurance policy, through TransUnion Canada.

Should cyber extortion victims pay demands?

The obvious benefit of paying a ransom is regaining access to crucial files and systems. While the ransom is expensive, rebuilding files or systems can be exponentially more expensive and time-consuming.

The FBI discourages ransom payments to criminals. It contends that doing so will embolden attackers to target other organizations, encourage other criminals and fund criminal activities. Paying the ransom also doesn't always guarantee the recovery of a victim's files. Once a ransom is paid, the victim could be marked as a company that will comply and pay a ransom, potentially increasing the likelihood that it will be targeted again. Likewise, the use of double or triple extortion ransomware means that a single attacker could have multiple chances to target the same organization.

Instead, the FBI urges victims to report ransomware threats to local FBI offices or the FBI's Internet Crime Complaint Center.

In a 2021 update to its initial advisory, the U.S. Treasury's Office of Foreign Assets Control warned that organizations helping victims make ransomware payments could be in violation of the agency's regulations. It identified companies such as financial institutions cyber insurance firms and those involved in computer forensics and incident response as possible offenders, depending on the tactics they use. The updated advisory adds new guidance on steps organizations can take to mitigate risks. These include implementing strong cybersecurity practices before an attack and promptly reporting a ransomware attack to law enforcement.

Is cyber liability insurance worth having?

The Department of Commerce Internet Policy Task Force states that cybersecurity insurance could help increase cybersecurity and reduce the number of successful cyber extortion incidents. At the same time, insurers are encouraging customers to exercise preventative measures and best practices by basing coverage and premiums on the insured's level of self-protection.

Increasingly, customers are requiring vendors to have cyber insurance policies as part of their compliance contracts. The adoption of cyber insurance is increasing, with the cyber insurance market totaling $15.3 billion globally in 2024 -- according to a report from German multinational insurance company Munich Re. Likewise, according to a 2025 summary of cyber insurance market trends from software vendor JumpCloud, 80% of large firms have cyber insurance, while only 10% of small and midsize businesses do.

However, before deciding on cyber liability insurance, an organization should evaluate its risks and consult an insurance expert. In general, due to the rise in cyberattacks and data breaches, having cyber liability insurance can be beneficial for companies in all industries but is especially important for technology-dependent businesses, small businesses and organizations that process sensitive data.

Cybercrime and ransomware affect every sector of the economy. Learn more about how to prevent common types of malware attacks.