By Shalini S.

The past week has seen news reports in the Indian media, proclaiming the rise of a new computer-related crime, “cyber extortion”. Cyber extortion is a term generally understood to refer to a category of cyber crimes, where stolen, sensitive and private data is withheld or threatened to be exposed in order to extort money. In such attacks, while cybercriminals threaten to cripple websites or disclose sensitive data, the data itself (stolen or accessed without authorization) is not tampered with and is usually safely returned on demands of the cyber extortionists being met. Simply put, hackers are forcing companies to pay them to desist from impeding commercial operations – a fee to be left alone.

In a shocking revelation, two Indian companies conceded to having paid hackers money to the tune of $10 million, to protect sensitive information stolen from their compromised computer networks, from imminent exposure. As the stolen information was incriminatory in nature, the attacks which seems to have originated in the Middle East, went unreported by the companies’ even months after payments had been made and no case has been filed by either company. Nevertheless, the discovery has prompted an unprecedented interest in understanding cyber extortion, its operation and treatment in India. In yet another instance of cyber extortion, a businessman from Hyderabad recently found himself unable to access his company’s database as it had been encrypted by a hacker demanding payment for decryption.

In the recently reported cases of digital extortion in India, criminals have exploited the vulnerabilities of cyber space to extort money, by predominantly employing the following strategies:

1. Gaining unauthorized access to a company’s secured data, strategy and trade secrets and threatening to make it public if demands of payment aren’t met.
2. Encrypting data in order to disable primary owner’s access to it and demanding payment for decryption.

According to a recently released threat report by Trend Micro, India also encountered the highest number of ransomware infections in the second quarter of 2015 and has ranked 6th in the list of countries sending maximum spam. Ransomware refers to malicious software implanted in communication devices to take control of them and hold data hostage (usually by encrypting it). Rightful owners are forced to pay “ransom” to cyber criminals in order to regain access to their devices after it has been has subject to such attacks. However, in light of allegations of private reports perverting statistics that represent current threat landscape, it is crucial to note that the above-mentioned threat report was published by a private security software firm that potentially stands to benefit from such a scare by creating increased demand for its security solutions.

Regardless, it is evident that in the perpetration of an extortion attempt, information systems are capable of being employed by cyber criminals in one or more of the ways as elucidated below[1]:

1. Information system as the medium for perpetration of the threat.
2. Information system as the object of the threat itself.
3. Payment to the extorter being facilitated through information systems.
4. Information and communication systems used as the medium for exposure, if demands remain unmet.

Noticeably, extortion manifests in several ways and thus, the provisions of the Information Technology Act under which victims of cyber extortion attacks may claim recompense under varies. However, as unauthorized access to data is characteristic of these attacks, S.43 and S.66 of the Information Technology Act, provisions dealing with protection of data and hacking, may be invoked to deal with cyber extortionists.

Further, in order to avoid exposure, cyber extortionists widely resort to the use of ransomware and botnets – network of compromised computers that are under the influence of malware code and unwittingly controlled by a master spam/virus originator usually engaged to forward transmissions.[2] Oft times, cyber extortion attacks are carried out by organized cyber criminals who hedge their collective technical abilities to extract crucial private data and information. Additionally, payments are demanded in bitcoins in order to further preserve anonymity. In the case of the two Indian conglomerates mentioned above, extortionist hackers even avoided being reported as the information they accessed (and threatened to expose) could implicate their victims in wrongdoing, naturally prompting a silent payoff. Hence, even criminals engaging in digital extortion from within India, are likely to escape prosecution under existing laws due to the complexity of ascertaining identity of the perpetrators. However, if they are identified, they may be prosecuted for the offences of extortion and criminal intimidation under S. 383 and S. 503 of the Indian Penal Code in addition to being charged with offences under the Information Technology Act.

The nature of operation of cyber extortion hasn’t yet been fully understood or captured by existing definitions. For instance, even a DDOS (extortion) attack may be used by extortionists to make websites unusable, in effect coercing them to pay.[3] Further, payment demanded may not always be monetary in nature or even capable of being materially quantified. Victims are also faced with disbelieving police when they try to lodge a formal complaint as not many enforcement authorities are aware of cyber extortion.

With an exponential rise in cyber extortion attacks globally having been reported and legal recourses proving inadequate, corporate entities and individuals must privately protect their data from intrusion by using advanced anti-virus tools, firewalls, updated operating systems and conduct regular cyber security audits to ascertain their vulnerability and assess their risk preparedness.

(We were unable to source Trend Micro’s threat report for Q2 of 2015 discussed above and request anyone with a copy to share the same with us in order to enable continued, meaningful engagement with cybersecurity issues).

(Shalini is a Research Fellow at the Centre)

[1] Gregory Bednarski, Enumerating and Reducing the Threat of Transnational Cyber Extortion against Small and Medium Size Organizations, Information Security Policy and Management (2004).

[2] Gu, G., Perdisci, R., Zhang, J., & Lee, W. (2008, July). BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In USENIX Security Symposium (Vol. 5, No. 2, pp. 139-154).

[3] Mathieu Deflem & Brian Hudak, Internet Extortion and Information Security, in Organized Crime: From Trafficking to Terrorism (1 ed. 2008).

Original author: Sarvjeet Singh