Join our day by day and weekly newsletters to receive the latest updates and exclusive content on industry-leading AI coverage. Learn more
Publishing confidential information about members of the family of executives. Making prank calls to law enforcement that result in violence or even death. Reporting on organizations that do not pay. Searching through stolen data to seek out evidence of corporate or worker wrongdoing. Presenting themselves as guardians of the law with the public good in mind.
Attackers are escalating their tactics, reaching latest, often alarming heights, in accordance with ransomware attackers latest research With Sophos X-Ops.
Christopher Budd, director of threat intelligence at the Threat Response Joint Task Force, called some of their activities “horrific.”
“One thing is clear: Attackers are not just looking at the technical levers they can pull, but the human levers they can pull,” Budd told EnterpriseBeat. “Organizations need to think about how attackers are trying to manipulate those human levers.”
Threats, searching for irregularities, alerting the authorities
The most “scary” example provided by Budd involved a ransomware group that exposed the data of a CEO’s daughter by posting screenshots of her ID documents in addition to a link to her Instagram profile.
“It smacks of the old mafia attacking people’s families,” Budd said.
Ultimately, threat actors are “increasingly willing” to disclose other highly sensitive data, corresponding to medical records (including those of kids), blood test data, and even nude photos.
Also alarmingly, they are using phone calls and swatting — fake calls that claim there has been violence or a shooting at a specific address. This has led to at least one death AND serious injury.
In one other shift, attackers aren’t just blocking data or launching denial-of-service attacks; they’re “stealing data and now examining it to see what they can find,” Budd said. For example, many say they’re evaluating stolen data for evidence of criminality, regulatory noncompliance, and financial abuse or discrepancies.
One group, WereWolves, claimed on its leak site that it was subjecting stolen data to “legal review, commercial review, and competitor confidentiality review.” As a technique of furthering this effort, Sophos X-Ops discovered that at least one threat actor was looking for recruits who could find examples of wrongdoing to make use of as leverage for extortion. One posting on a criminal forum sought someone to look for “violations,” “improper spending,” “discrepancies,” and “partnerships with companies on sanctions lists.”
Gang also offered this recommendation: “Read their emails and look for keywords like ‘confidential.’”
In one “particularly disturbing” case, a group identifying itself as Monti alleged that an worker at the threatened organization had sought out child sexual abuse material during work hours. They threatened: “If they don’t pay up, we will be forced to hand over the abuse information to the authorities and release the rest of the information to the public.”
Interestingly, attackers turn the tables by reporting them to police or regulators when they don’t pay, as was the case in November 2023, when one gang posted a screenshot of a grievance filed with the Securities and Exchange Commission (SEC) against a publicly traded payday loan company Meridian LinkUnder the latest rule, all public firms must file disclosures with the SEC inside 4 days of learning about a security incident that would have a “material” impact.
“It may seem somewhat ironic that security actors would exploit legislation to advance their own illicit goals,” the X-Ops researchers write, “and the extent to which this tactic has proven effective is unclear.”
Presenting ourselves as sympathizers
To appear grassroots or altruistic—and to exert additional pressure—some cybercriminals also encourage victims whose personal data has been exposed to “participate in legal proceedings.” They also openly criticize their targets, calling them “unethical,” “irresponsible,” “indifferent,” or “neglectful,” and even attempt to “flip the script” by calling themselves “honest… pentesters” or a “penetration testing service” that conducts cybersecurity research or audits.
Taking it a step further, attackers will name specific individuals and executives they consider are “responsible for the data breach.” Researchers at Sophos X-Ops indicate that this could function a “lightning rod” for blame; cause reputational damage; and “threaten and intimidate” executives.
Researchers often indicate that this criticism persists even after negotiations break down and victims refuse to hunt funding.
Finally, ransomware gangs don’t hide from the world in dark basements or abandoned warehouses (as the stereotype goes) – they increasingly court media attention by encouraging outreach, touting breaking news, and even providing FAQ pages and press releases.
Previously, “the idea of attackers regularly issuing press releases and statements — let alone giving in-depth interviews and arguing with reporters — was absurd,” Sophos X-Ops researchers said. he wrote in the report at the end of last yr.
Businesses: Be extra vigilant
But why do those posing a threat take such drastic steps?
“Honestly, just to make sure they’re working, to get paid,” Budd said. “Ultimately, that’s what it comes down to. Cybercriminals are business people, and they want their money.”
As he noted, they are “aggressively innovative” and pursuing these paths to extend the pressure to earn significant payouts.
For businesses, which means staying vigilant, Budd said. “Basically, standard ransomware guidelines apply,” he said. That means keeping systems up up to now and patched, running strong security software, ensuring systems are backed up and having a disaster recovery/business continuity plan.
He noted that “they will see that some of the risks that they are already concerned about and managing now have a ransomware cybersecurity component.”That includes corporate espionage, which has all the time been a risk.
Budd also warned of the ongoing risk of worker misconduct, which — like the case of the worker searching for child sexual abuse material — now has a cybersecurity dimension.
In short, he emphasized that companies “can and should do everything we’ve said they should do to protect themselves from ransomware.”