Full Text

According to FBI data, cybercriminals are on pace this year to collect approximately $1 billion through cyber extortion. This is a practice in which extortionists threaten to cripple a computer system or obtain and/or release confidential information unless their demands (usually for money) are satisfied. Although much of this money is coerced from individuals in increments of several hundred dollars, more and more organizations are finding themselves in cyber extortionists' crosshairs, including documented incidents against local governments, schools, hospitals and businesses in a range of industries. As cyber extortionists increasingly target organizations rather than individuals, security professionals fear the costs of cyber extortion incidents could dramatically increase.

Cyber extortion can take various forms, but ransomware is by far the most common variant. Ransomware is a type of malicious software that, when launched within a computer (usually from an e-mail opened by an unsuspecting employee), encrypts data or locks access to critical applications. An anonymous demand for payment then overlays the computer screen demanding payment, usually in bitcoin-a form of electronic currency that is difficult to trace- in exchange for the decryption key. In February, a California hospital reportedly paid $17,000 in bitcoin after ransomware hobbled its computer systems and prevented employees from sharing communications electronically for 10 days.

Other forms of cyber extortion include denial-of-service attacks that disrupt networks until payment is made, or threats to disclose customer data or other confidential information unless a specific demand is met. For example, in 2007, Nokia reportedly paid millions of euros to cybercriminals to prevent the release of an encryption code that could have compromised the security of its customers' phones and, in 2015, a hacker released customer data from a bank in the United Arab Emirates after it refused to pay a bitcoin ransom of about $3 million.

A cyber extortion threat can exert enormous pressure on an organization to decide whether to satisfy an extortion demand, and there are strong reasons for refusing to do so. Law enforcement agencies discourage paying ransoms, for starters, and there is no guarantee that the extortionists will remove the threat if payment is made, or the threat accompanying the demand may be preventable or lack credibility to begin with.

In some instances, however, an organization may determine that the...