Ransomware groups use stolen data as a weapon to pressure targets who refuse to pay: Sophos

Cybersecurity firm Sophos has published a new dark web report that reveals how cybercriminals are using stolen data as a weapon to increase pressure on targets who refuse to pay up. This includes sharing contact details or publishing information about family members of targeted CEOs and company owners, as well as threatening to report potential illegal business activities discovered in stolen data to authorities.

In the report, Sophos shared posts found on the dark web that showed ransomware gangs describing their targets as “irresponsible and negligent,” and in some cases encouraging individual victims whose personal data was stolen to file lawsuits against their employers.

Criminals claim to be examining stolen data for evidence of illegal activity, regulatory violations, and financial discrepancies. This information can be used to exert additional leverage and damage reputations.

Some actors also threaten to notify customers, partners and competitors, with the aim of generating and intensifying pressure from multiple angles and sources: media attention, customers, clients, other companies and possibly also regulatory authorities.

“Sophos has begun to see a tendency for ransomware gangs to use the media as a tool to not only increase pressure on their victims, but also to control the narrative and shift blame. We’re also seeing gangs single out the business leaders they deem ‘responsible’ for the ransomware attack on the companies they target,” said Christopher Budd, director, threat research, Sophos.

“In another message, the attackers encouraged employees to demand ‘compensation’ from their company, and in other cases the attackers threatened to notify customers, partners and competitors of data breaches,” Budd said.

Sophos also found multiple messages from ransomware attackers outlining their plans to search for information in stolen data that can be used as leverage if companies don’t pay up. In one message, a ransomware actor noted that any stolen data is subject to “a criminal legal review, a commercial review, and a review in terms of insider information for competitors.”

In another example, a ransomware group claimed to have found an employee of a company who was looking for child sexual abuse material. The group threatened to go to the police if the company did not pay the ransom.

The posts fit a broader trend of criminals attempting to extort companies for increasingly sensitive data about employees, clients or patients, including mental health records, children’s medical records and even blood test data. In one case, a ransomware group posted the personal information of a CEO’s daughter, as well as a link to her Instagram profile, Sophos said.

While many ransomware gangs are still using older pressure tactics, there appears to be an escalation, the report found. However, it is unclear whether this is due to an increasing number of victims choosing not to pay the ransom, competition from other threat actors, or ransomware groups becoming increasingly brazen.

“Ransomware gangs are becoming increasingly pervasive and brazen in how and what they weaponize. Businesses are under pressure to not only steal and threaten to leak data, but to actively analyze it to maximize damage and create new extortion opportunities,” Budd said.