Fraud Management & Cybercrime , Ransomware
How Ransomware Groups Weaponize Stolen Data
Attackers Are Turning Up the Heat on Targets Who Won't PayIn the wake of the MGM casino breach in December 2023, Sophos X-Ops began analyzing ransomware gangs' propensity to turn the media into a tool they can use to not only increase pressure on their victims but to take control of the narrative and shift the blame.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Ransomware gangs are becoming increasingly invasive and bold about how and what they weaponize. Compounding pressure for companies, they're not just stealing data and threatening to leak it - they're actively analyzing it for ways to maximize damage and create new opportunities for extortion. This means that organizations have to not only worry about corporate espionage and loss of trade secrets or illegal activity by employees, but also about these issues in conjunction with cyberattacks.
Gangs have singled out business leaders they deem "responsible" for the ransomware attack at the companies they target. In one post we found, the attackers published a photo of a business owner with devil horns, along with their Social Security number. In another post, the attackers encouraged employees to seek "compensation" from their company, and in other cases, the attackers threatened to notify customers, partners and competitors about data breaches. These efforts create a lightning rod for blame, increasing the pressure on businesses to pay up and potentially exacerbating the reputational damage from an attack.
Sophos also found multiple posts by ransomware attackers detailing their plans to search for information within stolen data that could be used as leverage if companies don't pay. In one post, the WereWolves ransomware actor says that any stolen data is subject to "a criminal legal assessment, a commercial assessment and an assessment in terms of insider information for competitors." The ransomware group Monti claimed that it found an employee at a targeted company searching for child sexual abuse material and threatened to give the information to the authorities if the company didn't pay the ransom.
These posts align with a broader trend of criminals seeking to extort companies that have sensitive data relating to employees, clients or patients, including mental health records, the medical records of children, "information about patients' sexual problems" and "images of nude patients." In one case, the Qiulong ransomware group posted the personal data of a CEO's daughter, as well as a link to her Instagram profile.
Ransomware attackers are no longer simply hacking networks and systems - they're attempting to "hack" the public narrative. We saw this with the
We're likely to see ransomware groups more directly engaging with the press in the future. In our research, we saw groups such as Cl0P and Royal use press releases to "rebrand" their activities into "security services." We're not sure why; it could be a recruitment tactic or an attempt to improve their public image. Regardless, it demonstrates these threat groups' concerted efforts to shape public perception. It's important that defenders do not give in to the attackers' desire for attention. We need to focus on the tactics, techniques and procedures of the attacks, to provide better defense rather than learn who was behind the attack.
Read the full report, "Turning the Screws: The Pressure Tactics of Ransomware Gangs" on Sophos.com.