One particularly chilling example identified by Christopher Budd, director of threat intelligence at the Threat Response Joint Task Force, involved a ransomware group doxing a CEO’s daughter. The attackers posted screenshots of her identity documents and even shared a link to her Instagram profile. Budd likened this tactic to the actions of an old-school mafia, emphasizing the extent to which threat actors are willing to go after people’s families.
In addition to doxing, ransomware actors are also leaking extremely sensitive data, including medical records, blood test data, and even nude images. They are now not only encrypting data or carrying out denial of service attacks but also stealing the data and analyzing it for evidence of illegal activity, regulatory noncompliance, or financial misdoings. This shift in tactics demonstrates that attackers are actively seeking out evidence of wrongdoing to use as leverage for extortion.
Sophos X-Ops discovered that one threat actor group, the WereWolves, even seeks out recruits who can find examples of wrongdoing within stolen data. These recruits are instructed to look for violations, inappropriate spending, discrepancies, and cooperation with companies on sanction lists. The group advises its recruits to read through emails and look for keywords like “confidential” to identify potential leverage points.
Furthermore, ransomware actors are not only targeting organizations with attacks but also turning the tables on them. They report target organizations to the police or regulatory bodies when they refuse to pay the ransom. This tactic was exemplified by a gang that lodged a complaint with the Securities and Exchange Commission against a publicly traded company. The gang claimed that the company had experienced a security incident with material impact and failed to disclose it within the required timeframe.
To further pressure their victims, ransomware actors portray themselves as sympathizers and encourage victims to participate in litigation. They openly criticize their targets as unethical, irresponsible, negligent, or uncaring, while positioning themselves as honest pentesters or cybersecurity auditors. They also name specific individuals and executives they deem responsible for data leakage, causing reputational damage and intimidation.
Interestingly, ransomware gangs are no longer hiding in the shadows but are seeking media attention. They actively engage with the media, offering press releases, interviews, and even FAQ pages. This shift in behavior demonstrates their desire for notoriety and further emphasizes the need for organizations to be vigilant.
Ultimately, the motivation behind these extreme tactics is simple: ransomware actors want to ensure they get paid. They are aggressively innovative and are willing to go to great lengths to pressure their victims into paying significant sums of money. Therefore, enterprises must remain ever-vigilant and follow the standard guidance around ransomware protection. This includes keeping systems up to date, running strong security software, backing up data, and having a disaster recovery plan in place.
Budd warns that enterprises should also be aware of the cybersecurity element in existing risks, such as corporate espionage, and the ongoing risk of bad employee behavior. To protect against ransomware attacks, organizations must prioritize cybersecurity measures and ensure they are doing everything possible to mitigate risks.
