Cyber-extortionists are liars
Wade Woolwine, manager of strategic services at Rapid7, has dealt with his share of blackmailers who steal sensitive data from enterprises and then hold it for ransom.
Companies call in Rapid7 to help them figure out whether the blackmailers do, in fact, have the data they claim to have, to learn how they got into the system and to get them out, and to figure out how to deal with the blackmail itself.
Woolwine said that he's worked on under a hundred of these cases.
[ ALSO ON CSO: Ransomware: Pay it or fight it ]
About a quarter of the time, the customer caves in and pays the ransom, typically between $10,000 and $25,000.
In return, the blackmailers promise to delete the data they stole.
Of course, there's no guarantee that the blackmailers will actually do that.
"There's the rub," Woolwine said. "They may not delete it. That's why the advice we give to customers is to not deal with attackers. Reach out to law enforcement and reach out to an incident response firm."
The other three quarters of the victims don't pay up. Some investigate first, and decide that the hackers don't actually have the data that they claim to have. Others just decide not to deal with the criminals.
Plus, if it's personally identifiable information that gets stolen, it still counts as a data breach whether a company pays up or not. No regular is going to take a criminal's word for it that they've deleted the data.
In either case, the blackmailers haven't followed through with their promises to expose the data.
"In the particular cases we've investigated, it's been an empty threat," Woolwine said.
One reason could be is that the data these guys go after -- trade secrets, source code, and intellectual property, is too hard to fence.
Or it could be that it's just not worth their time.
"They tend to move onto to the next victim," said Woolwine. "They're trying to find the most defenseless victim to go after and the victims are out there right for the picking."
Given their high success rate and the high ransom amount, even information like Social Security numbers, which has a ready market, isn't worth the effort.
"It's getting to the point where selling personally identifiable information on the open market is not as lucrative," he said.
Meanwhile, although he advises enterprises to call in the authorities when they're hit with an extortion attempt, he admits that it rarely does any good.
"They get caught approximately zero percent of the time," he said. "They are very cunning and they are typically in countries where the U.S. does not have extradition treaties or else they hide very well."
Cyber-extortionists target companies in all industry sectors, he said, and of all sizes.
"There isn't necessarily any rhyme or reason," he said. "They're just going after the companies they feel they can victimize the most."
Meanwhile, defending against these kinds of attacks is like defending against any other kind of breach, he said. Enterprises should have strong information security programs, keep their patches up to date, do regular vulnerability assessments, have proper access controls, and make sure that the only people who can see the source code are those who have a need to know.
The highly targeted enterprise-focused cyber-extortion attacks are very different from CryptoLocker and its variants.
CryptoLocker is malware that spreads itself, and targets individual machines instead of entire companies. Ransom amounts tend to be low, typically at around a couple of hundred dollars. Defending against CryptoLocker involves keeping systems patched, antivirus up to date, and having good backups.
"Having very good backups solves the CryptoLocker problem," he said. "You can just delete the system and restore the data from the backup."