Industry Insights with Christopher Budd

Fraud Management & Cybercrime , Ransomware

How Ransomware Groups Weaponize Stolen Data

Attackers Are Turning Up the Heat on Targets Who Won't Pay
How Ransomware Groups Weaponize Stolen Data

In the wake of the MGM casino breach in December 2023, Sophos X-Ops began analyzing ransomware gangs' propensity to turn the media into a tool they can use to not only increase pressure on their victims but to take control of the narrative and shift the blame.

See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture

Ransomware gangs are becoming increasingly invasive and bold about how and what they weaponize. Compounding pressure for companies, they're not just stealing data and threatening to leak it - they're actively analyzing it for ways to maximize damage and create new opportunities for extortion. This means that organizations have to not only worry about corporate espionage and loss of trade secrets or illegal activity by employees, but also about these issues in conjunction with cyberattacks.

Gangs have singled out business leaders they deem "responsible" for the ransomware attack at the companies they target. In one post we found, the attackers published a photo of a business owner with devil horns, along with their Social Security number. In another post, the attackers encouraged employees to seek "compensation" from their company, and in other cases, the attackers threatened to notify customers, partners and competitors about data breaches. These efforts create a lightning rod for blame, increasing the pressure on businesses to pay up and potentially exacerbating the reputational damage from an attack.

Sophos also found multiple posts by ransomware attackers detailing their plans to search for information within stolen data that could be used as leverage if companies don't pay. In one post, the WereWolves ransomware actor says that any stolen data is subject to "a criminal legal assessment, a commercial assessment and an assessment in terms of insider information for competitors." The ransomware group Monti claimed that it found an employee at a targeted company searching for child sexual abuse material and threatened to give the information to the authorities if the company didn't pay the ransom.

These posts align with a broader trend of criminals seeking to extort companies that have sensitive data relating to employees, clients or patients, including mental health records, the medical records of children, "information about patients' sexual problems" and "images of nude patients." In one case, the Qiulong ransomware group posted the personal data of a CEO's daughter, as well as a link to her Instagram profile.

Ransomware attackers are no longer simply hacking networks and systems - they're attempting to "hack" the public narrative. We saw this with the MGM hack and in the MOVEit attacks by Cl0P, when the group attempted to "set the record straight" about purported inaccuracies in the media's coverage of the attacks. For these threat groups, there are several benefits to engaging with the press. It's an ego boost for them, it improves their notoriety and it makes them a more desirable "employer" for criminals. It has also shown to be an effective method for pressuring victims.

We're likely to see ransomware groups more directly engaging with the press in the future. In our research, we saw groups such as Cl0P and Royal use press releases to "rebrand" their activities into "security services." We're not sure why; it could be a recruitment tactic or an attempt to improve their public image. Regardless, it demonstrates these threat groups' concerted efforts to shape public perception. It's important that defenders do not give in to the attackers' desire for attention. We need to focus on the tactics, techniques and procedures of the attacks, to provide better defense rather than learn who was behind the attack.

Read the full report, "Turning the Screws: The Pressure Tactics of Ransomware Gangs" on Sophos.com.



About the Author

Christopher Budd

Christopher Budd

Director, Sophos X-Ops

Budd is the director of threat research for Sophos X-Ops - Sophos' advanced threat response joint task force founded two years ago. Leading the X-Ops comms and analysis group of X-Ops, he works to bring together insights from the company's six different security domains to produce industry-leading threat intelligence.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.