Cyber extortion vs. ransomware: What’s the difference?

A photograph of a computer desk with dual monitors in a dark room.

Cybercrime is a rapidly growing industry. Experts estimate that cybercrime costs will reach $10.5 trillion annually by 2025.

But did you know that there's more than one kind of cyberattack?

Cyber extortion and ransomware are two costly and damaging attacks popular with cybercriminals. However, while they share a common goal and infiltration method, the attacks have fundamental differences.

Cyber extortion focuses on stealing data.

On the other hand, ransomware works to lock down critical business systems.

For over 25 years, WEBIT Services has built effective cybersecurity procedures for hundreds of clients. It is passionate about using strategy and education to protect its clients.

By the end of this article, you will learn  the definitions and goals of cyber extortion and ransomware, how cyberattacks work, and how to protect your business from these attacks.


The difference between cyber extortion and ransomware

While ransomware can enable extortion, it is not pure cyber extortion.

Extortion says, "I have your data; pay me to keep it from getting out."

Ransomware says, "I blocked access to critical functions; pay me to get access."

Ransomware uses machine or program functionality against its victims, but extortion uses data.

Delivery method

While not necessarily targeted, cyber extortion often happens due to human error. This can take the form of:

  • Access to a lost, unlocked or unencrypted device.
  • Failing to update hardware or software security patches promptly.
  • Social engineering (tricking people into giving up login credentials).

On the other hand, ransomware is primarily random and mainly performed by a software program instead of a human actively hacking into a targeted system.

The ransomware software locates vulnerable systems, and once it's inside a network, it gets to work.


What is cyber extortion?

Like all forms of extortion, cyber extortion steals valuable data and threatens to release it to the public.

What cyber extortion looks like

Cyber extortion occurs when a cybercriminal accesses your network and confidential data.

In cyber extortion, cybercriminals find any information your business needs to keep private (i.e., client or patient information, intellectual property, etc.), steal it, and then release it unless you pay a ransom. 

If this data is publicized, it will damage your company's reputation and relationships. Depending on the nature of the data, it can also result in lawsuits. Therefore, this information must be kept secret.

How do you know if you're a victim of cyber extortion?

You won't know it based on your system's performance. Cyber extortionists want to remain unnoticed so they can continue mining data.

However, you will receive a message and a verification that they have your data. This is usually a screenshot of the stolen confidential information.

In essence, the message will say something along the lines of, "I have this information. Pay me, or else I publish it."

How to resolve cyber extortion

Unfortunately, once a cybercriminal has your information, there's very little you can do to prevent extortion. You cannot steal the information back, for instance.

At this point, businesses must perform damage control to protect what relationships and profits they can. Here are three things you should do when you're the victim of cyber extortion:

  1. First, call your lawyer and insurance to see what you can do to mitigate damages.
  2. Next, you should contact your IT provider to find and remove malware. They can also work to locate and correct the exploited security vulnerabilities.
  3. Finally, you must choose whether or not to pay the ransom to protect the confidentiality of the stolen data.

However, you have no guarantees that the cybercriminal will not release the data regardless of payment. Cybercriminals may also hold the data and request additional ransoms later.

They can continue to demand payments for as long as the data is valuable.


What is ransomware?

Ransomware makes critical systems unusable until the cybercriminal receives payment.

What ransomware looks like

Ransomware is a kind of malware that encrypts systems. Encryption uses coding known as ciphertext. Encrypted data or programs can only be deciphered by using an encryption key.

Ransomware software studies your system to locate backups and critical systems. Once these are found, backups are wiped, and critical systems are locked down using encryption.

You cannot use the system in this state.

Under a ransomware attack, business functionality comes to a halt.

How do you know if you're a victim of ransomware?

Once activated, ransomware attacks are obvious.

In most cases, you turn on a device to find it encrypted and unusable.

You will also receive a pop-up or email message outlining the cybercriminal's demands.

However, there are times when the device is not immediately encrypted. In these instances, you will receive a warning message, "Pay this amount by this time, or I will encrypt your device."

How to resolve ransomware

Unlike cyber extortion, there's a chance to remedy ransomware without payment if you have made proper preparations.

If the attack is isolated to a single device or locked system, you may be able to remove the malware and restore functionality using backups.

However, if you do not have clean backups or the malware reaches all of your systems, you may not be able to restore functionality.

As with a cyber extortion attack, you will want to immediately contact your lawyer, insurance, and IT provider to mitigate damages.

Again, if you feel you must pay the ransom, there is no guarantee the cybercriminals will restore functionality. If that's the case, your system must be rebuilt from scratch, which can take days or even months.


The anatomy of a cyberattack

While the damage they cause is unique, all cyberattacks follow the same pattern. Attacks are divided into six stages:

  1. Reconnaissance
  2. Weaponization and delivery
  3. Exploitation
  4. Installation
  5. Command and control
  6. Actions and objectives

It's also important to note that attacks are entirely random in the initial stages. These rarely begin as targeted attacks, so no business is too small or too large for these cybercriminals.

1. Reconnaissance

In this stage, automated programs look for vulnerabilities in any network they can reach. These weaknesses may result from poor cybersecurity (i.e., no firewall or spam filter) or human errors (i.e., clicking malicious links or sharing login credentials).

2. Weaponization and delivery

In this stage, the cybercriminal chooses how to deliver their malware through automated software.

The malware may be delivered via email attachments or malicious links.

3. Exploitation

Once a vulnerability has been found and the malware chosen, the cybercriminal or their software will exploit the access point and plant the malware.

4. Installation

The malware is installed on the victim's network.

Cybercriminals will use these programs and the installed malware to maintain access or gain deeper access into the network.

Often, the malware will sit in stealth mode for months, gathering more information on the network, its data, structure, and backups. This information will be used in the eventual attack.

5. Command and control

Now, cybercriminals have the control they need to launch an attack.

They will set up a "command center" to communicate with the victim's network. The command center will pass data to and from the infected network and devices.

6. Actions and objective

After completing the previous steps, cybercriminals will launch their attack. Their goal may be to disrupt the system, steal data, or create fear through threats of action.


How to prevent cyber extortion and ransomware

When it comes to cybersecurity, "an ounce of prevention is worth a pound of cure."

Once a cybercriminal has launched an active attack, it's already too late. The key is to minimize vulnerable entry points in your network and detect malware before it activates an attack.

Solid cybersecurity practices are the key to preventing these attacks. Your IT provider, managed security service provider, or internal IT team should follow an approved cybersecurity framework to help fortify your network.

Your IT team should also help you create an IT incident response plan to minimize business downtime and lost profits if a crisis occurs.


Next steps for protecting your business from cyber extortion and ransomware

While similar in many ways, cyber extortion and ransomware attacks are fundamentally different. Extortion focuses on holding data hostage, while ransomware locks functionality.

Good cybersecurity practices are the best way to prevent these attacks.

Talk to your IT provider, managed security service provider, or internal IT team about your current security procedures. In addition, you should have quarterly risk assessments to uncover and address vulnerabilities.

You should also ask them about your incident response plan, when it was last tested, and when it was last updated. These plans should be tested and updated annually. If they are not, you risk increased downtime in an IT crisis.

It is considered a security-focused red flag if your provider is not performing risk assessments or following a cybersecurity framework like CIS or NIST. You may consider finding a new IT provider if this is your situation.

WEBIT Services believes that knowledge is power, which is why it is passionate about cybersecurity education and IT strategy.

If you're ready to have a conversation about security frameworks and risk assessments for your business, schedule a free 30-minute consultation with WEBIT.

If you're not ready to talk to our team of experts, we recommend the following articles on cybersecurity: