Identifying risks: Blackmailing and extortion
Feb 7th, 2009 by Jesper Kråkhede
During the last months I have held quite a few risk workshops and one topic that always have arisen is if blackmailing and extortion actually is a threat to think of and handle when we look at information security. The first answer would be “No” but thinking a bit longer the answer could only be “Yes” due to the fact that there have been several incidents where threats have both been delivered and actual attacks have been implemented.
In a previous post I wrote about the guy holding a city hostage. There is a trojan out there that encrypts files and the only way to get them back was to pay a amount to get the decryption key. Several of my customers routinely gets threats in their email stating that if they do not fix the vulnerabilities on their sites they will be attacked (this is possibly some kind of sales trick). Other customers with web shops often get threats stating that they will be DDOS:ed. This has actually happened in two cases but only for a few hours.
So with the above information in mind I could state that it is a risk but that it is currently not a large risk. But with encryption tools popping up everywhere both as large scale enterprise tools and freeware it is rather easy to imagine that a disgruntled employee could use this as a way to blackmail his employer or someone else creating a new trojan that implements encryption. The obvious protection against both threats would be backups (and testing to restore the files) but still it creates a disruption in production.
So in the end to achieve 24/7 production this kind of threats has to be handled even if it should not be top of mind (yet).