A question of extortion?
The 2020 Internet Crime Report was recently released by the FBI's Internet Crime Complaint Center. The one stat that stood out was the significant increase in extortion reports. The center received 43,101 reports of extortion in 2019. That number jumped to 76,441 in 2021, accounting for a 78% increase.
That increase in crime is certainly more palatable than the 110% increase in phishing complaints the center received, but a 78% increase is still significant. And extortion?
My immediate thought was IC3 is now considering Denial of Service for Ransom attacks as extortion which would be correct. These cyber-shakedowns are nothing less than criminal extortion. Think of the 1920's gangster walking to the local butcher shop, “Nice shop you have here, would be a shame if you had a fire” but apply it to a website ala “Nice website you have here, sure would be a shame if it was taken offline”. I have previously written about RDOS (Ransom DOS) attacks.
The Internet crime report offers a list of definitions and explains extortion as “unlawful extraction of money or property through intimidation or undue exercise of authority. It may include threats of physical harm, criminal prosecution, or public exposure.” The definition doesn't mention anything about a denial of electronic or Internet service. The report records DOS attacks as a separate offense and defines them as “a Denial of Service (DoS) attack floods a network/system or a Telephony Denial of Service (TDoS) floods a voice service with multiple requests, slowing down or interrupting service.” That definition is closer but doesn't mention anything about the demand for money or some other item of value.
Are they considering the threats of ransomware gangs to release ex-filtrated data if the ransom isn't paid? That is certainly on the increase as businesses are becoming better at restoring encrypted files from back-ups. The ransomware gangs are stealing sensitive data before encrypting it on disk and then threatens to release it to the public if the victim refuses to pay. This is certainly extortion. But shouldn't this be counted as a ransomware attack?
So what is considered an extortion?
I'd like to ask the center some follow-up questions but neither the report nor the IC3 website contains any contact information.