In December 2020, a cyberextortion case unfolded in a typical fashion, with an unknown attacker breaking into a network via an unknown security hole, acquiring sysadmin powers, stealing confidential data, and covering their tracks. However, the situation took an unexpected turn when the attacker demanded 50 Bitcoins (then worth about $2,000,000) to hush things up and doxxed the victim when the blackmail wasn’t paid. The victim, Company-1, suspected an inside job and within three months, the FBI raided the home of Nickolas Sharp, a senior developer at Company-1. It was found that Sharp was “helping” to remediate his own attack by day and trying to extort a $2m ransom payment by night. Sharp made false statements to the FBI and went on a PR counter-offensive, causing Company-1’s share price to drop and making the devaluation worse than it would have been.
To avoid situations like this, it is important to divide and conquer by avoiding situations where individual sysadmins have unfettered access to everything. It is also crucial to keep immutable logs and to measure rather than assume the effectiveness of cybersecurity measures by getting independent, objective confirmation of security claims. Companies should also consider outsourcing cybersecurity threat response to a managed detection and response service.
In this case, Sharp was sentenced to six years in prison followed by three years on parole and instructed to pay restitution of just over $1,500,000. It is important to note that doxxing, or deliberately releasing documents about a person or company to put them at risk of physical, financial, or other harm, is a serious cybercrime that can cause significant harm to individuals and organizations alike.
In conclusion, while this cyberextortion situation followed a well-worn path, it didn’t happen in the way one would expect. It serves as a reminder for companies to implement strong cybersecurity measures and to be vigilant in detecting and responding to cyber threats.