Alongside encrypting files and threatening to publish stolen data, some cyber extortionists are now searching data for opportunities to apply more pressure to victims. Cyber criminals may look for evidence of wrongdoing that they can turn over to authorities, or for business secrets to share with competitors, for example. This is according to a report published this week by Sophos X-Ops, the threat intelligence unit of the global cybersecurity company Sophos.
“Cyber criminals are now better understanding that when they steal data, they’re not just taking a ball away from someone. What they’re taking has additional value within it that they can further exploit,” said X-Ops Director Christopher Budd. “Up until now, up until this research, the ransomware threat actors have just treated the data that they’ve stolen like this thing, and not paid any attention to what’s in the thing.”
In one instance, a ransomware group claimed data it stole from a victim organization revealed an employee’s web search history for child sexual abuse material. The ransomware group threatened to turn this evidence over to authorities, unless paid off. Another ransomware group told a victim it would examine stolen data for insider information that could interest business competitors.
With tactics like these, extortionists aim to increase the fear and time pressure that victims feel, so they’re more likely to make bad, snap decisions, Budd said.
Sophos X-Ops researchers were not able to see how successful such methods were at getting victims to pay. But what the findings do show is that ransomware attackers are testing new tactics.
Some cyber extortionists have also sought to amplify pressure on victims by contacting their customers, whose data was compromised. The extortionists encourage those customers to direct their anger over the hack at the victim organization — not at the hackers themselves. In some cases, the extortionists urge customers to sue or file regulatory complaints against the victimized organization.
Conducting these threats requires cyber criminals to build teams with a skill set that reaches beyond the technical. Ransomware groups have been advertising on the dark web for new members with communications skills or understanding of regulatory matters. A previous Sophos X-Ops report examined how some ransomware groups increasingly look to solicit and shape media coverage of attacks, to build the cyber criminals’ images and further pressure victims.
Some cyber extortionists are also making violent and personal threats. In a January incident, hackers who hit a cancer hospital threatened to SWAT its patients. In another event, extortionists found and published information about the daughter of a victim organization's CEO, including her identity documents and Instagram profile.
“The level of escalation in targeting people's family is downright chilling,” Budd said. “… That's a level of escalation that is matching some of the more brutal tactics that organized [non-cyber] crime uses.”
Another unusual incident saw hackers demand members of the victimized company do community service. In this case, researchers have seen no indication of victims obeying. But the demand was likely meant as a “power flex,” and stands out for its attempt to use a cyber attack to make victims take action in the physical world, Budd said.
And cyber attackers are likely to keep trying new ways to pressure their victims.
“In the end, the cost per failure in innovation in this space is actually quite low,” Budd said. “So long as you don't get arrested, if you try something and it doesn't work, then you move on to the next one.”
