Ransomware gangs have managed to sink to new lows in their tradecraft of exacting emotional and reputational harm against companies to get them to pay up.
Researchers have documented new jaw-dropping ransomware incidents that have included a threat by the Monti gang against a business owner to expose the browser search history of an employee, erroneously accusing them of searching for child porn. In other recent cases the ransomware gang doxed the owner of a targeted company, spilling personal and financial information and photos of the owner edited to humiliate them.
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
In a report “Turning the screws: The pressure tactics of ransomware gangs” Sophos X-Ops details the latest in ransomware horror stories.
Other disgusting tactics include "ransomware groups [that] have published sensitive medical data following attacks. This has included mental health records, the medical records of children, and, recently, blood test data," according to the report released Tuesday as part of Sophos' participation in BSides Las Vegas.
"In some cases, we noticed ransomware gangs explicitly calling this out on their leak site – noting that stolen data included 'images of nude patients' and 'information about patients’ sexual problems,'” Sophos said.
In one particularly concerning example cited in the report, the Qiulong ransomware group posted screenshots of the identity documents belonging to the daughter of a CEO along with a link to her Instagram profile.
From bad to worse
That these new ransomware tactics are extremely concerning is an understatement. To make matters worse ransomware operators regularly attempt to magnify their misery by promising victims that if they don't cooperate they will notify customers, partners and competitors once they release the sensitive data.
"The intent here is to generate and intensify pressure from multiple angles and sources: media attention, customers, clients, other companies, and potentially regulatory bodies too," Sophos wrote.
"We noted in our 2021 article that the threat of leaked personal data was a big concern for organizations (and, of course, for the individuals involved), with both privacy and potential legal ramifications. While this is still the case, in recent years ransomware gangs have stepped up their game," Sophos wrote.
Christopher Budd, director of threat research for Sophos X-Ops, said his team noticed a shift for the worst when in 2023, in the wake of the MGM casino breach, ransomware gangs began turning to the media and using it as a tool to increase pressure on their victims. He said in the case of the MGM attack, ransomware criminals tried to "take control of the narrative and shift the blame” on the ransomware victim.
“We are also seeing gangs singling out the business leaders they deem ‘responsible’ for the ransomware attack at the companies they target,” Budd noted.
Budd told SC Media that these ransomware groups are increasingly upping the ante on ransomware business risks.
“Well now we have an example or two in here [the report] where the threat actors are saying, ‘We've got your data, we're going to go through your data if you don't pay. And if we find anything that's of benefit to your competitors, we'll go ahead and give it to them,’” said Budd.
Sophos found that not only are threat actors looking for data that could benefit an organization’s competitors to leverage for a payday, but they’re also looking for illegal activity to threaten to expose, which Budd said was the groups’ way to inject morality into their tactics.
“They're trying to present themselves sometimes as Robin Hood, except in this case, you know, Robin Hood isn't taking the money and giving it back to people,” said Budd. “They're taking the money and buying big cars with it.”
Cybercriminals abuse new regulations
New breach disclosure regulations are a new avenue that wasn’t open to ransomware groups until recently, but seems to have failed in the one known case.
ALPHV/BlackCat filed a Security and Exchange Commission complaint against its own victim in November 2023, saying the company failed to notify the SEC of the breach within four days. The rule, which was adopted in July 2023, didn’t go into effect until December.
Sophos notes it is not aware of any convictions "arising from ransomware groups referring breach information to regulators or law enforcement, that doesn’t mean it won’t happen in the future – and the possibility is likely to be of concern to C-suites."
The psychology behind ransomware gangs singling out specific individuals serves three purposes, researchers note.
"First, it provides a ‘lightning rod’ for any subsequent blame, pressure, and/or litigation. Second, it contributes to the threat of reputational damage. And third, personal attacks can menace and intimidate the leadership of the targeted organization," Sophos wrote.
With each year ransomware becoming increasingly heinous, Sophos asks, which is worse; the ransomware attack itself, or the victimization of people tied to the company being extorted?
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
