Ransomware gangs escalate tactics, go to ‘chilling’ lengths – DNyuz

Planting sensitive information about family members of executives. Pranking law enforcement that results in violence and even death. Tapping on organizations that don’t pay. Scrambling stolen data for evidence of corporate or employee misconduct. Posing as vigilantes with the public interest in mind.

Ransomware attacks are taking their tactics to new, often disturbing heights, according to new research from Sophos X-Ops.

Christopher Budd, director of threat intelligence at the Threat Response Joint Task Force, even called some of their actions “chilling.”

“One thing is clear: Attackers aren’t just looking for technical levers to pull, they’re also looking for human levers to pull,” Budd told VentureBeat. “Organizations need to think about how attackers are trying to manipulate those human levers.”

Threats, detecting abuses, alerting authorities

The most “chilling” example Budd cited involved a ransomware group that doxed a CEO’s daughter, posting screenshots of her identification documents as well as a link to her Instagram profile.

“That smells like old-fashioned mafia, going after people’s families,” Budd said.

Ultimately, threat actors are becoming “increasingly comfortable” leaking other highly sensitive data, such as medical records (including those of children), blood test data, and even nude photos.

Also alarming is their use of phone calling and swatting — that is, making fake calls claiming violence or open shooters at a particular address. This has resulted in at least one death and serious injury.

In another shift, attackers are now not just jamming data or launching a denial-of-service attack, “They’re stealing the data and now they’re examining it to see what they can find,” Budd said. For example, many claim to be reviewing stolen data for evidence of illegal activity, regulatory noncompliance, and financial wrongdoing or discrepancies.

One group, the WereWolves, claimed on their leak site that they subject stolen data to “a criminal legal review, a commercial review, and a review in terms of insider information for competitors.” To further those efforts, Sophos X-Ops found that at least one threat actor is seeking recruits who can find examples of misconduct to use as leverage for extortion. One ad on a criminal forum sought someone to search for “violations,” “inappropriate spending,” “discrepancies,” and “collaboration with companies on sanctions lists.”

The gang also gave this advice: “Read through their emails and look for keywords like ‘confidential.’”

In one “particularly disturbing” case, a group calling itself Monti alleged that an employee at a compromised organization had sought child sexual abuse material while he was at work. They threatened: “If they don’t pay up, we will be forced to hand over the abuse information to the authorities and make the rest of the information public.”

Interestingly, attackers are also turning the tables on target organizations by reporting them to law enforcement or regulators if they don’t pay up. This was the case in November 2023 when a gang posted a screenshot of a complaint they had filed with the Securities and Exchange Commission (SEC) against publicly traded digital lending company MeridianLink. Under a new rule, all publicly traded companies must file disclosures with the SEC within four days of learning of a security incident that could have a “material” impact.

“It may seem somewhat ironic that threat actors would use law as a weapon to achieve their own illicit goals,” X-Ops researchers write, “and it is unclear to what extent this tactic has been successful.”

Pretending to be sympathizers

To make themselves appear grassroots or altruistic – and to apply even more pressure – some cybercriminals also encourage victims whose personally identifiable information (PII) has been leaked to “join a lawsuit.” They also openly criticize their targets as “unethical,” “irresponsible,” “uncaring,” or “negligent,” and even attempt to flip the script by describing themselves as “honest… pentesters” or a “penetration testing service” that conducts cybersecurity studies or audits.

Taking this a step further, attackers will name specific individuals and executives who they believe are “responsible for the data breach.” Researchers at Sophos X-Ops point out that this can serve as a “lightning rod” for blame, cause reputational damage, and “threaten and intimidate” leadership.

Researchers often point out that this criticism persists after negotiations fail and victims do not negotiate the money.

Finally, ransomware gangs don’t hide in dark basements or abandoned warehouses (as the cliché goes), but increasingly seek media attention, encouraging their outreach, citing recent news coverage, and even offering FAQ pages and press releases.

“Previously, the idea that attackers would regularly issue press releases and statements — let alone give detailed interviews and discussions with reporters — was absurd,” Sophos X-Ops researchers wrote in a report late last year.

Companies: be very vigilant

But why do threat actors take such drastic measures?

“Honestly, just to see if they work so they can get paid,” Budd said. “That’s what it comes down to at the end of the day. Cybercriminals are business people and they want their money.”

They are “aggressively innovative” and are going down these paths to increase pressure for significant payouts, he noted.

For businesses, that means staying alert at all times, Budd said. “Basically, the standard policy for ransomware applies,” he said. That means keeping systems up to date and patched, using strong security software, backing up systems and having a disaster recovery/business continuity plan.

He noted that “they’re going to see some of the risks that they’re already concerned about and managing now have a ransomware cybersecurity element to them.” This includes corporate espionage, which has always been a risk.

Budd also warned of the ongoing risk of employee misconduct, which, as in the case of the employee who sought out child sexual abuse material, now has a cybersecurity element attached to it.

Simply put, he stressed that enterprises “can and should do everything we tell them to do to protect themselves from ransomware.”

The post Sophos X-Ops: Ransomware gangs escalate tactics, go to ‘chilling’ lengths appeared first on Venture Beat.