Cyber extortion: What it is, how it works, and how to protect yourself

Cyber extortion is one of the fastest-growing cyber threats, and no one is completely safe. Criminals target individuals, businesses, and even governments, leaving behind financial damage, lost productivity, and a tarnished reputation.

In this guide, we’ll break down how cyber extortion works, share real-life examples, and give you practical tips to protect yourself, along with steps to take if you ever find yourself a target.

What is cyber extortion?

Cyber extortion is a type of online blackmail where attackers use threats to pressure victims into paying money or fulfilling other demands.

It’s different from phishing, which relies on tricking people into revealing sensitive information. However, data stolen in a phishing attack can later be used as leverage in a cyber extortion scheme.

What is the difference between ransomware and cyber extortion?

Ransomware is one form of cyber extortion. In a ransomware attack, criminals encrypt a victim’s files or lock their systems and demand payment to restore access.

Cyber extortion is a broader category. It includes ransomware, but it also covers other extortion threats like exposing sensitive data or disrupting online services unless the attacker’s demands are met.

How does cyber extortion work?

At its core, cyber extortion is about forcing someone to comply by threatening to harm their data, systems, reputation, or privacy. Attackers use many different methods, target a wide range of victims, and can have very different reasons for doing it.

Common tactics used by attackers

Most cyber extortion tactics fall into two broad categories: attacks involving unauthorized access to data or systems and external attacks that disrupt services without breaching internal systems.

Ransomware is the most common type of attack involving unauthorized access, and distributed denial-of-service (DDoS) attacks are the most prevalent virtual extortion tactic focused on disrupting services.

But some types of cyber extortion don’t fit neatly into either category. Insider threats, for example, involve actors who already have authorized access to data and systems but misuse their privileges.

Who are the typical targets?

Cyber extortionists target both individuals and organizations, but small businesses are the most at risk. This is because targeting businesses generally leads to higher payouts than targeting individuals, and smaller businesses tend to be more vulnerable to cyberattacks than large companies that have more resources to dedicate to cybersecurity.

Motivations behind cyber extortion campaigns

Money is the main driver. However, not every cyber extortionist is after cash alone. Some want recognition or a sense of achievement, while others are motivated by political or ideological causes (hacktivism), government-backed operations, or corporate espionage.

Types of cyber extortion

Here’s a quick overview of the different types of cyber extortion:

• Ransomware attacks: The attacker uses ransomware, a type of malicious software (malware), to lock a victim's files or systems and then promises to restore access if their conditions are met. In some cases, known as double extortion, the attacker also steals the data and threatens to publish it if the ransom isn’t paid. Triple extortion goes even further by targeting not just the original victim but also their customers, partners, or other stakeholders, sometimes demanding payment directly from them to keep their personal data private.
• DDoS attacks: The threat actors overload a website or online service with traffic, making it unavailable to legitimate users. They then demand payment to stop the attack. Even short periods of downtime can cause significant disruption and revenue loss, making this tactic particularly damaging for online-dependent businesses.
• Sextortion: The attacker acquires explicit images of the victim and then threatens to spread these photos online unless their conditions are met. The threat actor often acquires these explicit images through trickery. For example, they may pretend to be interested in a relationship with the victim.
• Insider threats and whistleblower blackmail: This describes any type of cyber extortion carried out by employees, contractors, or partners with legitimate access to sensitive data or systems.
• Doxxing: The attacker threatens to publish personal information about the victim, like their home address, phone number, or workplace, unless they comply with the attacker’s demands. This can put the victim at risk of harassment or even physical harm.

Real-life cyber extortion cases

Here are some of the most prominent cyber extortion cases in the last few years and what we can learn from them:

The WannaCry ransomware attack

The WannaCry ransomware attack was a major cybersecurity incident in 2017. It was believed to be the work of a North Korea-based ransomware group called the Lazarus Group.

It spread by exploiting a flaw in older, unpatched versions of Windows known as EternalBlue, infecting more than 200,000 computers worldwide. Victims included major organizations like FedEx, Honda, Nissan, and the UK's National Health Service (NHS).

Colonial Pipeline incident

In 2021, Colonial Pipeline, which operates a critical fuel pipeline in the U.S., was hit by a ransomware attack carried out by a criminal group called DarkSide. The attack forced the company to shut down its operations, leading to fuel shortages and panic buying across several states. In the end, the company was forced to pay a ransom of approximately $4.4 million to stop the attack.

Later it was revealed that the attackers gained access through a compromised VPN account used for remote access to Colonial Pipeline’s internal systems (not a consumer VPN service like the ones individuals use for online privacy).

Note: For everyday users, a trusted commercial VPN like ExpressVPN doesn’t create this kind of risk; instead, it protects your internet traffic and keeps your data safe from outside threats.

Travelex and the REvil gang

On New Year's Eve 2019, Travelex, a UK-based foreign exchange company, experienced a ransomware attack that disrupted its global operations. The REvil/Sodinokibi group claimed responsibility and threatened to release sensitive customer data unless paid. After several weeks of negotiations, Travelex paid a ransom of $2.3 million to regain access to its data.

Garmin and WastedLocker

In 2020, Garmin, a major GPS and wearable tech company, suffered a ransomware attack by a ransomware group known as Evil Corp using a program called WastedLocker. The attack took many of its products and services offline.

Although Garmin made no official statements about paying the ransom, evidence shows that they did receive a decryption key and began restoring services after a four-day outage.

The Karakurt group and healthcare extortion

The Karakurt group is a cybercriminal organization that first emerged in 2021. One of their more notable attacks occurred in 2022 when they targeted Methodist McKinney Hospital in Texas.

The attackers accessed systems containing protected health information and threatened to leak all of that data on the dark web.

This case highlights a different approach to cyber extortion: rather than encrypting files or systems, Karakurt focused on stealing sensitive data and using the threat of public disclosure or sale to coerce victims into paying.

Baltimore government ransomware case

In 2019, the City of Baltimore was targeted by a ransomware attack. It caused widespread disruptions, including limited access to public services.

City officials chose not to pay the ransom, opting instead to recover their systems without yielding to the demands. The attack cost the government at least $18.2 million.

This case shows that even major entities like city governments aren’t immune to cyber extortion. Baltimore’s refusal to pay the ransom, in large part due to the uncertainty that threat actors would actually hold up their end of the bargain, also highlights the risks and complexities involved with ransom payments.

How to deal with a cyber extortion threat

If you ever receive a cyber extortion threat, here’s how to respond:

• Isolate affected systems immediately: Disconnect compromised devices from the internet and internal networks. This limits the attacker’s ability to spread malware or extract additional data.
• Preserve evidence: Save system logs, take screenshots, and document all suspicious activity or communications from the attacker. This will help law enforcement and cybersecurity professionals investigate and potentially identify the perpetrators.
• Engage professionals early: Contact a trusted incident response team or IT security specialist to assess the damage, identify the attack vector, and start containment and recovery measures.
• Avoid paying the ransom: While it might be tempting to “just get it over with” by paying the ransom, in general, law enforcement agencies recommend against it. There’s no guarantee the attacker will restore access or delete stolen data, and it encourages further criminal behavior.
• Notify law enforcement: Cyber extortion is a serious crime. Report the incident to the proper authorities so that they can investigate, issue public alerts, and help coordinate responses that may benefit other victims.

How to report cyber extortion

If you are in the U.S., you can report cybercrimes, like cyberextortion or malicious websites, to:

• The FBI Internet Crime Complaint Center (IC3)
• Your local FBI field office
• The Cybersecurity and Infrastructure Security Agency (CISA)

Outside of the U.S., report the incident to your country’s cybercrime agency or national computer emergency response team.

In all cases, provide as much detail as possible, including copies of ransom messages, attacker contact information, system logs, and a description of how and when the incident occurred.

How to prevent cyber extortion

Preventing cyber extortion requires proactive measures. Here's a quick guide for both individuals and businesses:

Best practices for individuals

Individuals can lower their cyber extortion risk by practicing good digital hygiene and making use of online privacy and security tools:

• Use strong, unique passwords combined with two-factor or multi-factor authentication to protect accounts.
• Learn to recognize phishing red flags and avoid clicking on suspicious links or unsolicited attachments. You can also report any malicious websites you encounter to help prevent others from being targeted.
• Keep your software and operating system updated to close security gaps that attackers could exploit.
• Back up important files so you can recover your data in the event of a ransomware attack.
• Be cautious about sharing personal information or photos online or with strangers
• Install antivirus software to detect and block malicious threats.
• Use a reputable virtual private network (VPN), such as ExpressVPN, to protect your internet traffic.

Learn more: Find out why you need a VPN for private and secure online activity.

How businesses can reduce risk

Preventing cyber extortion requires a multi-layered approach that combines both technology and organizational practices.

Preventing cyber extortion starts with strong technological infrastructure. This includes security tools like firewalls, intrusion detection systems that monitor for suspicious activity, and advanced threat protection software that identifies and blocks complex attacks. Adopting a zero-trust security model with least privilege access can further strengthen your business’s defenses.

Organizational practices also play a crucial role. This includes maintaining up-to-date, separate backups and having a tested disaster recovery plan to ensure quick restoration after an attack. Regular security audits, penetration testing, and a well-developed incident response plan also help identify weaknesses and coordinate an effective reaction to threats.

Finally, human error remains one of the biggest vulnerabilities, which is why ongoing employee training is critical to reducing the risk of cyber extortion.