To receive industry-leading AI updates and exclusive content, sign up for our daily and weekly newsletters. Learn more
Posting sensitive data about executives’ families. Making prank calls to the police, leading to violence and death. Reporting on organizations that don’t pay. Searching stolen data for evidence of corporate or employee wrongdoing. Casting themselves as vigilantes with the public interest in mind.
Ransomware attackers are escalating their tactics to new and often disturbing levels. New Research from Sophos.
Christopher Budd, director of threat intelligence for the Joint Task Force on Threat Response, even called some of their actions “horrifying.”
“One thing is clear: attackers are not only looking for technical means, but also human means,” Budd told VentureBeat. “Organizations need to think about how attackers are going to leverage those human means.”
Threatening others, pursuing fraud, or reporting them to authorities
In the most “scary” case Budd cited, a ransomware gang stole the personal information of a CEO’s daughter and posted screenshots of her ID and a link to her Instagram profile.
“It’s like old-fashioned mafia stuff, going after people’s families,” Budd said.
After all, threat actors are “becoming increasingly accustomed” to leaking other highly sensitive data, such as medical records (including those of children), blood test data, and even nude images.
And, shockingly, they are using phone calls and swatting – making fake calls about violence or shootings at a particular address. At least one death and Serious injury.
Another change is that attackers are no longer simply locking down data or launching denial-of-service attacks, “They’re stealing data and then looking through it to see what they can find,” Budd said. For example, many attackers claim that they are evaluating stolen data for evidence of illegal activity, regulatory violations or financial irregularities or discrepancies.
One group, WereWolves, claimed on the leak site that they were subjecting the stolen data to “criminal, commercial and competitive insider assessments.” To further these efforts, Sophos X-Ops found that at least one threat actor was seeking allies who could find examples of wrongdoing as blackmail material. One ad on a crime forum sought people looking for “violations,” “improper expenditure,” “discrepancies,” and “cooperation with companies on sanctions lists.”
The gang also offered this advice: “Read the email and look for keywords like ‘confidential’.”
In one “particularly disturbing” case, a group calling themselves Monti claimed to have searched for child sexual abuse material during work hours among employees of the compromised organization. They threatened that “if they did not pay, we would be forced to hand over information about the abuse to the authorities and the remaining information would be made public.”
Interestingly, attackers can also turn the tables by contacting police or regulators if the target organization doesn’t pay up, as was the case in November 2023 when a group posted screenshots of a complaint filed with the Securities and Exchange Commission (SEC) against a publicly-traded digital lending company. Meridian LinkThe new rules require all public companies to file disclosure documents with the SEC within four days of learning of a security incident that could have a “material” impact.
“It may seem ironic that threat actors would weaponize the law to further their own illicit objectives,” the X-Ops researchers wrote, “and it is unclear how successful this tactic has been.”
Portraying ourselves as sympathetic
To further apply pressure and portray themselves as grassroots activists and altruists, some cybercriminals encourage victims whose personally identifiable information (PII) has been leaked to “join the lawsuit,” openly criticize their targets as “unethical,” “irresponsible,” “uncaring,” and “negligent,” and even try to “flip the script” by presenting themselves as “honest… pentesters,” i.e., “penetration testing services” that conduct cybersecurity research and audits.
Taking this a step further, attackers will name specific individuals or executives they claim are “responsible for the data breach.” Sophos X-Ops researchers note that this can act as a “lightning rod” for blame, damaging reputations and “intimidate and intimidate” management.
Researchers note that these criticisms often continue even after negotiations break down and victims no longer fight over funds.
Finally, ransomware gangs are no longer hiding from the public in dark basements or abandoned warehouses (as is often the case): they are increasingly seeking media attention, promoting their activities, advertising recent press coverage, and even providing FAQ pages and press releases.
Previously, “it would be ridiculous for an attacker to regularly issue press releases or statements, let alone give in-depth interviews or discussions with reporters,” Sophos X-Ops researchers said. Written in the report Late last year.
Businesses: Be vigilant
But why are threat actors taking such extreme measures?
“Frankly, I just want to see if they’re in it for the money,” Budd said. “That’s what it comes down to. Cybercriminals are businessmen, and they want money.”
He noted that they are “aggressively innovative” and are taking these paths to increase pressure for larger payments.
For businesses, this means constant vigilance, Budd said. “Basically, the standard guidance on ransomware applies,” he said. That means keeping your systems up to date and patched, running strong security software, making sure your systems are backed up, and having disaster recovery/business continuity plans in place.
“You’re going to find that some of the risks that you’re already concerned about and managing now have a cybersecurity element of ransomware in them,” he said, including corporate espionage, which has always been a risk.
Budd also warned of the ongoing risks posed by inappropriate employee behavior, such as cases of employees searching for child sexual abuse material, which now has a cybersecurity component.
Put simply, he stressed that companies “can and should do everything we’ve said you should do to protect yourself from ransomware.”
