Summary: Ransomware gangs are increasingly using media manipulation and public pressure tactics to extort victims, shifting blame onto business leaders and threatening reputational damage. This trend highlights the evolving nature of cybercrime, where attackers not only steal data but also weaponize it to maximize extortion opportunities.
Threat Actor: Ransomware Gangs | ransomware gangs
Victim: Various Organizations | various organizations
Key Point :
- Ransomware groups are targeting business leaders directly, using personal information and public shaming to pressure companies into paying ransoms.
- Attackers are analyzing stolen data for leverage, threatening to expose sensitive information related to employees and clients if demands are not met.
- Criminals are engaging with the media to shape public perception and enhance their notoriety, complicating the narrative around cyberattacks.
- Future trends may see ransomware groups using press releases to rebrand their activities, indicating a strategic shift in their operations.
Fraud Management & Cybercrime
,
Ransomware
Attackers Are Turning Up the Heat on Targets Who Won’t Pay
•
September 2, 2024
In the wake of the MGM casino breach in December 2023, Sophos X-Ops began analyzing ransomware gangs’ propensity to turn the media into a tool they can use to not only increase pressure on their victims but to take control of the narrative and shift the blame.
See Also: Introduction to Elastic Security: Modernizing security operations
Ransomware gangs are becoming increasingly invasive and bold about how and what they weaponize. Compounding pressure for companies, they’re not just stealing data and threatening to leak it – they’re actively analyzing it for ways to maximize damage and create new opportunities for extortion. This means that organizations have to not only worry about corporate espionage and loss of trade secrets or illegal activity by employees, but also about these issues in conjunction with cyberattacks.
Gangs have singled out business leaders they deem “responsible” for the ransomware attack at the companies they target. In one post we found, the attackers published a photo of a business owner with devil horns, along with their Social Security number. In another post, the attackers encouraged employees to seek “compensation” from their company, and in other cases, the attackers threatened to notify customers, partners and competitors about data breaches. These efforts create a lightning rod for blame, increasing the pressure on businesses to pay up and potentially exacerbating the reputational damage from an attack.
Sophos also found multiple posts by ransomware attackers detailing their plans to search for information within stolen data that could be used as leverage if companies don’t pay. In one post, the WereWolves ransomware actor says that any stolen data is subject to “a criminal legal assessment, a commercial assessment and an assessment in terms of insider information for competitors.” The ransomware group Monti claimed that it found an employee at a targeted company searching for child sexual abuse material and threatened to give the information to the authorities if the company didn’t pay the ransom.
These posts align with a broader trend of criminals seeking to extort companies that have sensitive data relating to employees, clients or patients, including mental health records, the medical records of children, “information about patients’ sexual problems” and “images of nude patients.” In one case, the Qiulong ransomware group posted the personal data of a CEO’s daughter, as well as a link to her Instagram profile.
Ransomware attackers are no longer simply hacking networks and systems – they’re attempting to “hack” the public narrative. We saw this with the MGM hack and in the MOVEit attacks by Cl0P, when the group attempted to “set the record straight” about purported inaccuracies in the media’s coverage of the attacks. For these threat groups, there are several benefits to engaging with the press. It’s an ego boost for them, it improves their notoriety and it makes them a more desirable “employer” for criminals. It has also shown to be an effective method for pressuring victims.
We’re likely to see ransomware groups more directly engaging with the press in the future. In our research, we saw groups such as Cl0P and Royal use press releases to “rebrand” their activities into “security services.” We’re not sure why; it could be a recruitment tactic or an attempt to improve their public image. Regardless, it demonstrates these threat groups’ concerted efforts to shape public perception. It’s important that defenders do not give in to the attackers’ desire for attention. We need to focus on the tactics, techniques and procedures of the attacks, to provide better defense rather than learn who was behind the attack.
Read the full report, “Turning the Screws: The Pressure Tactics of Ransomware Gangs” on Sophos.com.
Source: https://www.bankinfosecurity.com/blogs/how-ransomware-groups-weaponize-stolen-data-p-3702