Ransomware gangs fine-tune extreme blackmail tactics
- Sam Sabin, author of Axios Codebook

Illustration: Sarah Grillo/Axios
Ransomware gangs are starting to go public with the sensitive information they steal to ensure victims pay up.
Driving the news: In the last week alone, ransomware criminals have threatened to leak private photos from breast cancer patients' files and published a video showcasing the data they could access while digging through Minneapolis Public Schools' systems.
- The video showed records related to student sexual violence allegations, letters to parents about student suspensions, and employee tax forms.
The big picture: It's rare for ransomware criminals to publicly detail the specific pieces of data they were able to steal during an attack.
- Usually, criminal gangs flaunt these findings to victims only in private negotiations, rarely discussing their precise findings in public.
- Now, as reports find that ransom payouts are dropping, criminals are trying a new tactic to publicly shame victims into paying: combing through the data sets and publicly detailing the most confidential bits.
Zoom out: Ransomware gangs have started moving away from traditional, encryption-based attacks to focus on data extortion.
- A ransomware attack typically involves hackers installing file-encrypting software onto an organization's networks and then demanding payment to unlock those files and systems.
- But over the years, more gangs have started also stealing data before encrypting a system and demanding a second payout to prevent a leak.
What they're saying: "It seems to be accelerating and happening more frequently," Chester Wisniewski, field chief technology officer of applied research at Sophos, told Axios.
- "There's only a handful of times I can remember the extortion becoming public and having specific things that were stolen that were used as part of the demand," he added.
Between the lines: Brett Callow, a threat analyst at Emsisoft, told Axios that with fewer victims paying ransomware gangs, cybercriminals are now "looking for ways to increase their conversion rates."
- Ransomware gangs — many of whom are based in Russia — have also become more aggressive since the war in Ukraine began, Wisniewski added.
State of play: Gangs have started feeling a squeeze and pressure to try out new tactics in the last year.
- International law enforcement operations have led to more arrests and web infrastructure seizures, and the U.S. government is eyeing bringing intelligence and military powers into the fight.
Yes, but: The tactic of publicly taunting ransomware victims isn't completely new.
- In 2020, now-defunct ransomware gang REvil stole files from a New York-based celebrity law firm and publicly threatened to leak hundreds of gigabytes of files, including contracts, nondisclosure agreements and more if a $42 million payout wasn't made.
- Kurtis Minder, CEO of ransomware negotiation company GroupSense, told Axios he's also seen bad actors take their threats to Twitter and call employees of a victim organization to put more social pressure on executives to pay.
The intrigue: Increasing public scrutiny on victim organizations doesn't guarantee that gangs will get a payout.
- For some organizations, threatening them publicly could just embolden their decision to not pay the bad actors, Minder said.
- But Minder said he's also been in situations where operators are extorting so many victims at once that they seemingly forget to leak the data once the deadline for a payout passes.
- "You just get lost in the shuffle because you're one of 100 victims they're fielding right now," Minder said.
Sign up for Axios’ cybersecurity newsletter Codebook here.