Held to ransom

Earlier this year, a young woman "checked into" Facebook and put up details of the hotel she was vacationing at. Not long after that, her father received an email demanding a hefty ransom. He was told that the hotel's security feed had been hacked into and unless the ransom, running into a couple of lakhs, was paid, an "intimate video" of his daughter would be uploaded online. The father, CEO of a multinational company in India, ended up paying the money.

In another instance, a Delhi-based industrialist found all the data on his computer locked. He couldn't access any of the family photos, personal files or bank details. There was only one file that could be opened - and it gave him instructions on how to pay the ransom, following which he was told he'd be able to retrieve the data. Because of the sensitive information involved, he decided to pay up and subsequently, recovered the data.

Last November, a report by security software company Trend Micro predicted that 2016 would be the "Year of Online Extortion," and that's not very far from the mark. While one cyber security expert says that the number of cases of cyber extortion coming to him have increased by 400 per cent, another says that his cases have tripled since 2014. Since a majority of digital extortion cases go unreported, all figures are just guesstimates.

While companies are the most obvious targets, prompting many of them to increase their cyber security budgets and strengthen their cyber teams, individuals too are falling prey to digital extortion. Data extortionists do not discriminate between seasoned businessmen, new-age entrepreneurs or college students. While the end goal is financial gain and everyone is vulnerable, experts agree that high net worth individuals, or HNIs, are most at risk.

Much like the Delhi industrialist, a Mumbai-based entrepreneur found this out the hard way when all his data was locked for two days by "ransomware".

The term "ransomware" is as heavy as it sounds. It refers to a genre of malicious software programs (malware) designed to block access to your computer till you pay up. The terms may get sophisticated as time progresses, but the underlying malevolent intention is always the same: extortion, the digital way.

"When we went to investigate the case, we found that this was the second time this entrepreneur's system had been attacked," says Sivarama Krishnan, a cyber security expert at PricewaterhouseCoopers India.

The first time around, worried about being pulled up for what had happened to his boss's computer, the entrepreneur's assistant had paid up and the system was functional again. "What people don't realise is that many malicious programs leave behind backdoors to return," says Krishnan. "During the second attack, the ransom was considerably higher."

The victims are almost always unwilling to divulge the details, but cyber security experts say the ransom depends on the kind of data "seized" and the financial worth of the target. Often, it runs into lakhs.

You don't necessarily have to be on websites unsuitable for work to be a victim of ransomware. From the innocuous email that promises you "attractive offers" to a video link anywhere on social media, the delivery method for malware varies.

  • Always keep backups and encrypt those backups
  • Don’t buy second-hand phones from unverified sources
  • Don’t leave your phone lying around, unprotected
  • Don’t download attachments from unknown senders out of curiosity
  • Avoid opening emails that ask for bank details or promise iPhones or lottery prizes
  • Keep different passwords for different accounts, and make them difficult to crack
  • Update your antivirus regularly
  • Report the matter to the police
  • Change passwords to uncompromised networks
  • Keep aside the data you still have access to
  • Minimise the damage by switching your phone/laptop off

There was a time black hat hackers needed to be clued into the basics of coding before they caused harm, but with ransomware there's no need for such expertise. "That's the most worrying part," says Krishnan. "The potential for exploitation has grown and cyber attacks have become so commercialised that ransomware comes with instructions on how to use it." Some sources sell it online for as little as $8.

Not only are ransomware victims picked strategically, these attacks are also well-timed. Take the case of a Kolkata-based entrepreneur who was locked out of his laptop just one day before a crucial board meeting.

In another case, an HR manager was asked to pay up in bitcoins, a kind of cryptocurrency, when she couldn't access any of her files on the computer. But since she had a backup of all her data, she refused to pay and moved on with a new computer after she couldn't get the old one unlocked.

From bags of cash to transferring money into overseas accounts to bitcoins, the evolution of ransom gateways demands an essay in itself, but bitcoins have the unique trait of only leaving cold trails behind. "Follow the money," Deep Throat had said in All The President's Men (1976); he may not have said the same about bitcoins.

These are easily acceptable and tradable, so most cyber criminals prefer bitcoins because they also give them the anonymity they need, says cyber security expert and Mumbai High Court advocate Prashant Mali.

There is, however, no guarantee that the data would be "released" or the extortionist would keep his word even after the ransom is paid. The bitter experience of two high-profile builders is a case in point. They were asked for a sizeable amount to get the decryption software that would release their data from the ransomware. One of them negotiated and paid a certain amount, only to realise that the "solution key" didn't work. The second builder refrained from paying anything. Neither of them got their data back.

"Sometimes," says Mali, "even cyber criminals get tricked by their malware suppliers and receive an algorithm that can't decrypt the encrypted data." Some of his clients have even started provisioning for paying ransom after bad experiences with cyber security professionals who do not sort things out on time. And, for these people, time is money.

The more information you share online, the more footprints you leave behind for someone to follow. "Digitally mapping an individual was much harder when we didn't have smart phones," says Krishnan. Indians, particularly, are known to post pictures and talk about vacations indiscriminately, instead of sticking to closed groups. Identity theft is just one fallout of people putting their private information online.

Another cause for cyber concern is the availability of software programs that record your conversations, and consistently track your movements. A number of such services were previously based in Israel and cost exorbitant amounts for long-distance hacking. But there are other cell phone call hacking software too, available, alarmingly, as free downloads. That is why cyber security professionals constantly advise people against leaving their cell phones unattended.

Downloaded into the phone, these software allow the miscreant to listen in to and record conversations, read text messages and emails, track web activities, gain access to all the contacts, photos and videos stored on the target phone, wipe out all data on the phone, track the phone location even without a GPS and also give him the power to lock the phone - all this, in stealth mode.

"There are ways to remotely turn on the microphone of your laptop or cell phone - so don't take these into confidential meetings or remove the battery if you really want to take them in," advises Pavan Duggal, cyber law expert and Supreme Court advocate. "Celebrities and HNIs have also been known to put a tape over the laptop's camera for security."

Often, there are no tell-tale signs to warn you if your laptop or phone has been compromised.

"I am constantly approached by people whose systems have been hacked," says Bengaluru-based ethical hacker Anand Prakash. "There's no way for a layman to know if his system has been broken into. But if you have doubts, get it checked before something happens."

Such is the concern around hacking that the possibility of medical devices connected to the internet being broken into, either for the purpose of extortion or for causing physical harm, is also being explored. Norwegian cyber security researcher Marie Moe has, for some time now, been hacking into medical devices to highlight cyber vulnerabilities. Moe has a pacemaker and is concerned that if a computer, which tracks her pacemaker, has internet, it can be remotely hacked. Expressing similar security concerns, former US vice-president, Dick Cheney, had in an interview to CBS News said that in 2007 he had the wireless functions in an implanted heart device disabled for this very reason.

While Krishnan feels India still has a long way to go before worrying about "Internet of Things" (IoT), when every object we use has network connectivity, Duggal stresses, "These are not concerns of the future, these are concerns of the present. IoT is now a reality."

Experts agree that only awareness can save the day. "We can't solely depend on the law because the law still has to catch up," says Duggal. "The Information Technology Act of 2000 is completely silent on ransomware: the word doesn't even find mention in it."

Iada Martin, superintendent of police, Cyber Crime Division, CID, Bengaluru, admits that we have to proceed at a faster pace to keep up with changing technology and cyber criminals. "There's also the issue of coordinating with a lot of different agencies spread across countries; we have to keep in mind laws of those countries too," he says.

So the onus of staying secure falls on the individual. When Krishnan asked a client if he knew all of the 85,000 people who followed him on social media, he replied saying he barely knew 200 of them.

Every time you accept a friend request on Facebook, or have a new follower, unless you have due restrictions in place, you expose all of your friends, families and followers to someone you don't really know.

Cyber experts stress on the use of an updated anti-virus not just for the computer but also for the cell phone, which, for all practical purposes, is a mini computer. The risk of malware specifically increases when someone uses proxy sites. "On the surface it seems like you are using Facebook, but it's possible for a malware to be sending out all the data from your system," says Prakash.

The mental and emotional trauma and anxiety inflicted on victims of cyber crime is incalculable. "While businesses have been suffering losses, lives have been wrecked," says Duggal.

The problem lies in the all-too-obvious state of affairs: we don't apply the fundamentals of our physical world to the virtual universe. "We wouldn't wear a lot of gold or carry lots of cash if we were walking on the street. We wouldn't ever let a stranger who comes knocking on our door to simply walk into our home. They why should we accept friend requests from strangers; why put out our personal selves online?" wonders Krishnan.

We've long accepted that privacy is a myth. "There's nothing like absolute cyber security either" says Duggal. "You have to plan for cyber-resilience."

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel