Sign up for our daily and weekly newsletters, featuring the latest updates and exclusive content on industry-leading AI reporting. Learn more
Posting sensitive data about executives’ families. Making prank calls to law enforcement agencies that result in violence and even death. Snitching on organizations that don’t pay. Searching for stolen data to find evidence of wrongdoing by companies or employees. Portraying themselves as vigilantes with the public interest in mind.
Ransomware attackers are expanding their tactics to new, and sometimes disturbing, levels, according to new research from Sophos X-Ops.
Christopher Bird, director of threat intelligence for the Joint Threat Response Task Force, called some of their actions “creepy.”
“One thing that’s clear is that we’re seeing not just technological levers that attackers can pull, but also human levers that they can pull,” Budd told VentureBeat. “Organizations need to think about how attackers are trying to manipulate those human levers.”
Detect threats, illegal activities, alert authorities
One of the most “scary” cases Bird points out is when a ransomware group stole the identity of a CEO’s daughter and posted screenshots of her ID and a link to her Instagram profile.
“It’s like the old-school mafia going after people’s families,” Bird said.
Ultimately, threat actors are “growing more comfortable” with exfiltrating other highly sensitive data, such as medical records (including those of children), blood test data, and even nude images.
Also, surprisingly, they are using phone calls and swatting, which is making fake phone calls claiming violence or open shootings at a specific address. This has resulted in at least one death and serious injury.
In another change, attackers are no longer simply locking up data or performing denial-of-service attacks, Budd said, “They’re stealing data and now they’re looking at it to see what they can find.” For example, many claim to be evaluating stolen data for evidence of illegal activity, regulatory noncompliance, and financial misconduct or discrepancies.
One group, WereWolves, claimed to conduct “criminal forensic assessments, commercial assessments, and internal intelligence assessments of competitors” on data stolen from leak sites. To further bolster these efforts, Sophos X-Ops found that at least one threat actor was looking for recruits who could find instances of wrongdoing that could be leveraged for extortion. One ad on a criminal forum sought people to find “violations,” “improper spending,” “inconsistencies,” and “working with companies on sanctions lists.”
The gang also offered this advice: “Read the email and look for keywords like ‘confidential.'”
In one “particularly disturbing” case, a group identified as Monty claimed that employees of the compromised organization were searching for child sexual abuse material during working hours. They threatened that “if they did not pay, we would hand over the abuse information to the authorities and the rest of the information would be made public.”
Interestingly, attackers also turn their backs on their target organizations by reporting them to the police or regulators when they don’t pay up. This was the case in November 2023, when one gang posted a screenshot of a complaint they filed with the Securities and Exchange Commission (SEC) against MeridianLink, a publicly traded digital lending company. Under the new rules, all publicly traded companies must file public information with the SEC within four days of learning of a security breach that could have a “material” impact.
“It may seem somewhat ironic that threat actors are weaponizing legislation to achieve their illicit objectives,” the X-Ops researchers wrote, adding that “it is unclear how successful this tactic has been.”
Describe yourself as a sympathizer
Some cybercriminals will even encourage victims whose personally identifiable information (PII) has been leaked to “join the lawsuit” in an effort to make themselves look basic or altruistic – and to exert more pressure. They will also publicly criticize their targets as “unethical,” “irresponsible,” “indifferent,” or “negligent,” and even try to “flip the script” by calling themselves “honest… penetration testers” or a “penetration testing service” that conducts cybersecurity research or audits.
Taking this a step further, attackers name specific individuals and executives they claim are “responsible for the data breach.” Sophos X-Ops researchers note that this can act as a “lightning rod” of blame, damaging reputations and “intimidating and threatening” leadership.
Researchers point out that these criticisms continue even after negotiations break down and victims do not return their money.
Finally, ransomware gangs don’t hide in dark basements or abandoned warehouses and hide from the world (as cliché as it may sound). They increasingly seek media attention, promoting public relations, promoting recent news stories, and even providing FAQ pages and press releases.
“The idea that attackers would regularly issue press releases and statements, or even engage in detailed interviews or debates with reporters, is preposterous,” Sophos X-Ops researchers wrote in a report published late last year.
Business: Be very careful
But why do threat actors take such drastic measures?
“Honestly, it’s to see if they’re working so they can get paid,” Bird said. “Ultimately, that’s what matters. Cybercriminals are businessmen and they want money.”
He noted that they are “aggressively innovative” and are taking this route to increase pressure for significant payments.
For businesses, Budd said, that means staying vigilant. “The standard guidelines for ransomware basically apply,” he said. That means keeping systems up to date and patched, running strong security software, backing up systems, and having a disaster recovery/business continuity plan in place.
“They will find that some of the risks they are already concerned about and managing have a ransomware cybersecurity element to them,” he said. That includes corporate espionage, which has always been a risk.
Bird also warned of ongoing risks from bad employee behavior, which now includes a cybersecurity element, such as employees seeking out child sexual abuse material.
In short, he stressed that companies “can and should do everything we said to protect against ransomware.”