This article is written by Gautam Chaudhary, a law student at Chanderprabhu Jain College of Higher Studies and School of Law, GGSIPU. It talks about cyber extortion and its types, as well as the existing laws related to cyber extortion in India.
This article has been published by Sneha Mahawar.
Table of Contents
In the twenty-first century, many countries in the world have witnessed technological advancement in their respective jurisdictions. Some have been introduced as a major power in technological and economic terms, whereas others have found the world of cyberspace to be a way of coping with this race. Out of all the countries, India also holds one of the positions. In terms of cyber relations and operations, India has made great and significant advancements, since all the major operations are kept online, like the citizen’s primary identification card, driver’s licence, registration of a vehicle, etc. Along with these various essential E-services in this age, a massive threat also comes along with it, which is called ‘cyber extortion’ which operates by threatening the common public by catching hold of their personal or crucial professional sensitive information and demanding it. Therefore, the present article talks about cyber extortion in detail.
Cyber extortion, also known as cyber blackmail, is an illegal practice conducted by a person who holds crucial personal, professional, or commercial data in his possession. The person who does this illegal digital crime is known as a “cyber extortionist.” In every case, such a person holds crucial data hostage with the motive to demand a ransom, either in cash or in another form. This practice takes a criminal turn when the hacker threatens the victim to leak the data among the public if the ransom is not paid within a strict time deadline. The data kept as hostage can be of any type; it can be either personal photos, videos, commercial trade secrets, or an organisation’s upcoming projects, blueprints, or information.
For example, there’s a man named A who hacks into the systems of Coca-Cola companies. Now he has access to its secret recipe for the Coca-Cola soft drink. Now, A threatens the company with having to pay a heavy ransom for the recipe’s restoration, or else it would be leaked into the public domain or even sent to other competitors.
Cybercriminals typically carry out cyber extortion by either blocking access to the victim’s computer or overloading its network by running or introducing a large amount of traffic. In cases of heavy traffic on the network, the victim is not able to run his or her business at all since the network usually fails to load because of the ongoing traffic. The victim suffers from the inability to operate his business; additionally, he incurs significant expenditure on its restoration, which is also a lengthy process that drains the finances of the business.
In the case of cyber extortion, as mentioned above, the victim is forced to pay a ransom, usually in monetary terms, or else his crucial data, whether personal or commercial, is leaked to the public, which can be adverse for the victim. Moreover, in such cases, the victim cannot contact the authorities for the required help because there is a great risk of losing his/her vitally private information on social networking sites to the public. As a result, it can be understood that cyber extortion or blackmail is one of the most deterrent forms of cruelty in the form of crime, which hinders and violates the very principle of privacy and poses the victim with great mental and physical torture.
Cyber extortion in India
Cyber blackmailing operates in Indian jurisdictions as well. It is termed “digital crime,” where a person hacks into the system and seizes or holds over sensitive files or information and, in return for its safe release, demands a ransom. Hackers commit cyber extortion by first targeting systems and then attacking the weaknesses and flaws in an organisation’s security system.
For example, in the normal operation of a business, the CEO of the company sends his employee a trade secret relating to the new line of men’s deodorants. He sends this sensitive information over email. Here, the hacker would hack into the company’s official email account, which is used by the CEO, and catch hold of the information, thereby demanding ransom. Furthermore, hackers target a company’s official surveys and systems in order to steal more sensitive information for a higher ransom.
Types of cyber extortion
Cyber extortion exists in mainly five forms. The same are discussed below exhaustively.
Sextortion is a form of cyber extortion where a person first takes possession of sexual videos or private parts of the victim and then either forces him/her to perform sexual relations with him/her or demands a huge ransom for the release of the content in his possession—or even both by threatening to leak the content in public or to the victim’s parents. The crucial element for this type of cyber extortion is the possession of sexual photos or videos, which is obtained by him only through the victim by baiting him/her into the trap of fake love or affection. Only after the individual obtains these materials does he threaten the victim with leaking them to the public or sending them to their parents or other close relatives. Sextortion mainly operates on social media like Facebook or Instagram and on dating sites as well.
Cyber extortion most commonly operates via email, wherein the attacker sends a message containing the sensitive or personal files of the victim. Following that, the attacker demands a ransom be paid by the victim; additionally, the attacker threatens the victim, threatening to release his personal information to the public or on social media sites. In the event that this ransom is not paid, the information goes into the public domain. For the operation of this type of extortion, the information has to be highly personal or sensitive, like photos or videos, or, in the case of business institutions, something of high value, like their trade secrets.
Among the different forms of cyber extortion, blackmail is also on the list. The specific crime is usually a criminal act in which the hacker holds onto or seizes sensitive information and blackmails or threatens to leak it to the public or rival organizations. The information mentioned can be either a photo, a video, or a business operation.
Ransomware is a type of digital malware that, through its nature and functionality, prevents the original user from accessing the desired files or documents. Ransomware acts as a wall between the access desired by the true user and the documents present in the file. The vital component of this criminal act is that once established on a certain user’s mail or system, ransomware demands a ransom in monetary terms to give back access to the files to the user. The following are the types of ransomware:
Malicious or spam email is the act of a hacker sending a message to a victim with a number of attached files containing access to adult sites or fake lottery tickets in order to gain system’s access. The motive of sending this malicious folder along with the mail is to attract the user to open it, thereby giving access to the system. The attached folder acts as bait for the victim to fall into their trap, and thereafter, the hackers get access to his system after he clicks on this fake link.
Malvertising is the term used to describe malicious online advertising that distributes malware to users without their knowledge. Through this type of advertising, users come into direct contact with malware that can detect their computer information as well as their location. Malvertising operates through an infected iframe or invisible webpage element. The iframe from the original or initial webpage redirects the user to a webpage where all the information exploitation works. All this happens without the user’s knowledge. It is important to note that malvertising works on legit sites as well, since criminal web pages are designed to redirect the user to the web pages from which the information can be exploited.
The term “phishing” used here refers to posing as someone else who, in reality, is not. In the context of ransomware, spearfishing is an act in which a conman sends an email to someone posing as someone he is not. For example, a manager sends an email to company A’s employees and staff, instructing them to read the email because it pertains to the organisation’s new guidelines or plans for upcoming projects. And in this very mail, the sender poses as the CEO of that particular company. Therefore, for the receivers of the mail, it is normal or obligatory to open that mail for the sake of business operations, eventually giving the hackers access to their systems, thereby making them victims of ransomware.
Social engineering is also called “human hacking,” since this illegal cyber technique follows the theory and method of targeting users psychologically. In such attacks, it is crucially important for the hacker to establish contact with the user directly because ransomware does not work like malvertising and spear phishing. What is required for its initiation is the actual human act for getting access to the computer by the user. It attacks human psychology by creating situations like anger or pressure to persuade them to take the necessary action.
For example, a hacker forms up a mail wherein he conveys that the user has won 1 crore rupees as a prize or tells the user that his computer has been hit by the Trojan virus where all his data and files have been compromised, and for the same reason, immediate attention is required. Now, to get access to the victim’s system, the hacker provides a link or a webpage through which he alleges that the prize can be collected or the virus can be removed. Upon clicking on that link or web page, the user exposes himself directly to the attack of ransomware through social engineering.
Denial of Service (DOS)
A denial-of-service attack is one of the cyberattacks that is initiated by the cyber attacker and is used to steal personally identifiable information (PII), i.e., the information about an individual ascertained in combination with other data; it can be the I.D. of the user. Cyberattackers use this form of attack by putting a great deal of traffic on the victim’s server or system. The DOS can last for months, and every time a user tries to load his server, it will not work because it will take a lot of time to load, which will ultimately cause it to crash as well. This will drain the monetary capacity of an organisation since it is too costly to remove such an attack. While the DOS prevents the user from using its server by putting heavy traffic on it, the attackers steal the relevant and essential personally identifiable information, exposing the user to further and greater threats with respect to his personal information.
How to deal with cyber extortion
In order to have a smooth and secure mechanism for personal or professional data, it is essential to take a number of measures to deal with and prevent cyber extortion. The following are the measures or essential practices that a user must perform in order to secure his system against cyber extortion.
The first and foremost measure against cyber extortion is to have the necessary knowledge about it. All organisations must have a pre- or mid-employment cyber attack prevention training programme. Through this, the company would have a strong mechanism to protect its servers from unwanted and illegal cyberattacks.
Cyber data back-up
The second line of defence against a cyber attack is to have a backup of any data that the organisation or individual may lose as a result of the breach. The cyber attack is not prevented since it is just an after-attack measure, but it can prove to be of great aid because it minimises the cyber blackmail’s harm to someone’s data.
Cyber insurance acts as a medium through which an individual or an organisation gets insurance after a cyber attack. Cyber insurance covers the liability for a data breach involving sensitive customer information, such as Social Security numbers, personal details, and health records. Any organisation can avail itself of this insurance if it has faced any kind of cyber attack. Mainly, cyber insurance includes legal fees and expenses that an individual or an organisation incurs after a cyber attack.
Data breach checkup
One of the most important measures is to have monthly checks for data breaches. It is surely an expensive procedure that may require maintenance. But it is the only way to protect the data against cyber attacks since a data breach check-up keeps the computer system’s protection tools and software updated and enhances their functions against any future attack.
Strong password system
One of the basic measures to prevent any cyber attack is to have a strong password for your system because it is the first and foremost thing that the hacker targets, and if the system is protected by a strong password, then it is difficult for the hacker to hack into the system. Next, updating the system’s password weekly is also the best measure against cyberattacks.
Strong firewall and antivirus systems
A firewall is a security system to protect an internal network from unauthorised servers and networks based on predefined rules. It acts as a barrier where it only allows the secured networks to send or receive data in daily operations. Having strong firewalls will be fruitful against any cyber attacks since it protects the system from its core network. Coming on to the antivirus system, this software are also useful for the system’s protection since they scan websites and files to compare their code to the code of known malware. If there are similarities, the antivirus will notify you that the scanned site/file/app is dangerous. Moreover, it refrains the user from going onto a virus-prone website, as it notifies him that the website contains ransomware by scanning it through its database.
Email hygiene training
Email hygiene training by a user means regular reviewing of emails to check whether it is not sent by some unauthorised or unknown user. For the purpose of having a safe and secured business in the long run, email hygiene also includes the sending of messages containing company confidential information that is protected by the organisation’s data classification standards. Caution in sending mail to the right person is one of the most basic exercises in this type of training. Through this, the information, along with the company’s or individual’s email address, remains among the trusted members or groups. At last, email hygiene also includes the exercise of opening trusted mail. In other words, the employees or individuals are advised or trained to only open mail that has come from known and trusted addresses. The opening of fake or unknown addresses is strictly prohibited for secure operations and should be deleted.
Cyber extortion attacks
Cyber extortion exploits a person or a company mentally or financially. The hacker who does this illegal extortion practice creates great fear in the victim’s mind of losing his/her public image or all the business secrets. In view of the same, some of the most widely known cyber extortion cases are herein mentioned below.
An Indian perspective
The UHBVN Ransomware attack
Uttar Haryana Bijli Vitran Nigam, a government-owned company that is responsible for power distribution in North Haryana, was hit by a ransomware attack on March 17, 2021, at 12:17 a.m. The hackers stole the billing data and demanded a ransom in bitcoins. They demanded a whopping sum of Rs. 1 crore, or $10 million, for returning the customer’s data.
The Mirai Botnet Malware attack
This botnet malware took over the internet, targeting home routers and IoT devices. This malware affected 2.5 million IoT devices. The sum included a large number of computer systems in India. This self-propagating malware was capable of exploiting unpatched vulnerabilities to access networks and systems.
A global view
The Orange is the New Black attack
The creators of the famous show titled “Orange is the New Black” in 2017 also became victims of the deadly cyber extortion attack when the hacker group known as the Dark Overload hacked into the system of its server and somehow got access to the unreleased episodes of the show. The hackers threatened the creators with leaking their episodes and demanded a ransom of $50,000. Sadly, even after Netflix paid the demanded ransom, the hackers leaked the episodes online.
The dating site attack
In June 2015, a commercial dating website called Ashley Madison was hacked by a team of hackers called the “Impact Team.” In this case, the hackers broke into the website’s system and got access to its clients’ personal information along with personally identifiable information. Unlike other usual cases, the hackers wanted the dating website to shut down its entire operations; if not, they threatened that the information of its clients would be released in the public. The website did not revoke its operations. Therefore, the hackers leaked a huge load of the company’s data, including its clients’ information.
How to file a cyber crime complaint in India
With the increase in the opening of digital startups in India, coupled with the subsequent change from offline to online services by the Government of India, there arises a need to protect oneself from various forms of cybercrime that happen in numerous numbers with great frequency on daily basis. Therefore, one may file a cyber crime complaint if he/she is or is the victim of such heinous crimes, because now every state jurisdiction has its own cybercrime police unit that investigates and arrests accused persons who are involved in such crimes.
Visit the cybercrime complaint portal
Therefore, firstly to set the law into motion, one may file a cyber crime complaint by going to https://cybercrime.gov.in/. This is the official website of the National Cyber Crime Reporting Portal, where any individual can file an e-complaint against any form of cybercrime.
Select the option of filing a complaint
Next, one may select the option of filing a complaint that is present on the homage of the portal.
Choose the option for the manner in which the complaint must be filed
Thereafter, after selecting the complaint option there appears a page where the portal gives an option for the complainant to choose how he/she may want to file the complaint. If the complainant is a female, she may file the complaint unanimously or report normally with the tracking option. If the complainant is a male, he may choose the option of reporting cybercrime.
Create an account and login with requisite information and submit
Then the next step is to create an account. After making an account, the complainant will have to fill in the state to which he/she belongs along with the details of the account. After the login, the page would consist of four sections, i.e., incident details, suspect details, complaint details, and preview and submit. In the incident detail section, the complainant has to provide the key details of the crime that happened to him. Further, in the suspect section, he has to provide any identity proof that he carries with him, and in the complaint details section, he has to provide his personal details, such as his name, email address, photography, etc. Once all this information has been filled in, then the complaint has to confirm and click on the submit option.
Track the status
Now that the complaint has been filed successfully, the complainant can also track the status of the complaint. It is to note that the complainant cautiously needs to provide true and relevant information or else he/she shall face penal action for the same.
Laws for cyber extortion in India
The National Crime Bureau, Ministry of Home Affairs, Volume II, 2021, reveals that every second, a cyber extortion case is registered in the country’s capital, i.e., Delhi, where every complaint stated the accused had sensitive information about the victim. Therefore, there needs to be a defined law for such a heinous crime.
However, unfortunately, the Information Technology Act of 2000 neither defines the term “cyber extortion” nor has a specified punishment for the same since it does not consider it an offence. Nevertheless, the accused can be booked for offences under the Indian Penal Code, 1860, and the IT Act, under Section 383 (which deals with extortion), Section 503 (which deals with criminal intimidation), and Section 66E of the IT Act.
Section 66E talks about a violation of privacy through the leak of some private areas of any person through the capture, publication, and distribution of the alleged picture. The accused faces up to 3 years in prison and a fine of up to Rs 2 lakh, or both.
Section 383 addresses extortion, which is defined as the act of intentionally causing or putting any person in fear of injury, with the intent of inducing the person to deliver any property or valuable security to the accused. A person accused of committing the offence of extortion can be punished with imprisonment, which may extend to two years, a fine, or both.
Further, Section 503 deals with the offence of criminal intimidation, which is the act of threatening someone with an injury to his reputation, person, or property, or to the person or reputation of any other person in which that person is interested. The goal of threatening is to cause fear in the victim and force him to perform an illegal act or refrain from performing any act to which he is legally entitled or bound. A person accused of committing criminal intimidation can be punished with imprisonment, which may extend to two years, with a fine, or with both.
However, in spite of having the above-said sections under different statutes, there is a need to have a unified and specific provision for the offence of cyber extortion because, in this internet age, Indian citizens, especially big corporations and female members of society, are becoming the victims of this grave crime.
In this digital age, a country like India, which has made every service online for the convenience of its citizens, must look at the possible and emerging issues and threats coming out of this digital system. Nowadays, everyone’s data is stored online in applications like cloud storage, Digi Locker, and personal drives. Therefore, it becomes necessary for the administration to protect the same. The first step towards protection would surely be enacting a specific, well-explained provision stating cyber extortion as a cybercrime. And the same must be punished with severe punishments along with massive fines because the matter at hand is regarding the people’s privacy and reputation, which also come under one of the fundamental rights given by the Indian Constitution as the right to personal liberty. And if the same is not protected and administered, then there won’t be any digital advancement in the true sense.
Frequently Asked Questions (FAQs)
Which authority should one contact in case of cyber extortion?
Anyone who is the victim of any type of cybercrime may contact the state’s police cyber cell and lodge a complaint with them. For example, victims residing in Delhi may contact the Delhi Police Cyber Crime Unit directly.
What is the most common way one can become a victim of cyber extortion?
Opening spam, surfing on unprotected sites, and clicking on unnecessary files, either in the mail or on the internet, provides the hacker with the medium to hit the systems with cyber extortion.
What is the purpose of NCCRP?
The National Cyber Crime Reporting Portal (NCCRP) is an online government portal that is specially made to deal with cybercrime. Here, the victim of any form of cybercrime can easily report or file a cyber crime complaint without any issue. The portal is made especially for women since it allows them to file the complaint unanimously, thereby keeping their identity unknown.
What sort of information is considered evidence while filing a cyber crime complaint?
For the purpose of filing a cyber complaint for any kind of cybercrime, a credit card receipt, bank statement, envelope (if you received a letter or item through the mail or courier), brochure/pamphlet, online money transfer receipt, copy of an email, URL of a webpage, chat transcripts, a screenshot of the suspect mobile number, videos, images, or any other kind of document are needed.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: