Ransomware gangs fine-tune extreme blackmail tactics

Ransomware gangs are starting to go public with the sensitive information they steal to ensure victims pay up.

Driving the news: In the last week alone, ransomware criminals have threatened to leak private photos from breast cancer patients' files and published a video showcasing the data they could access while digging through Minneapolis Public Schools' systems.

• The video showed records related to student sexual violence allegations, letters to parents about student suspensions, and employee tax forms.

The big picture: It's rare for ransomware criminals to publicly detail the specific pieces of data they were able to steal during an attack.

• Usually, criminal gangs flaunt these findings to victims only in private negotiations, rarely discussing their precise findings in public.
• Now, as reports find that ransom payouts are dropping, criminals are trying a new tactic to publicly shame victims into paying: combing through the data sets and publicly detailing the most confidential bits.

Zoom out: Ransomware gangs have started moving away from traditional, encryption-based attacks to focus on data extortion.

• A ransomware attack typically involves hackers installing file-encrypting software onto an organization's networks and then demanding payment to unlock those files and systems.
• But over the years, more gangs have started also stealing data before encrypting a system and demanding a second payout to prevent a leak.

What they're saying: "It seems to be accelerating and happening more frequently," Chester Wisniewski, field chief technology officer of applied research at Sophos, told Axios.

• "There's only a handful of times I can remember the extortion becoming public and having specific things that were stolen that were used as part of the demand," he added.

Between the lines: Brett Callow, a threat analyst at Emsisoft, told Axios that with fewer victims paying ransomware gangs, cybercriminals are now "looking for ways to increase their conversion rates."

• Ransomware gangs — many of whom are based in Russia — have also become more aggressive since the war in Ukraine began, Wisniewski added.

State of play: Gangs have started feeling a squeeze and pressure to try out new tactics in the last year.

• International law enforcement operations have led to more arrests and web infrastructure seizures, and the U.S. government is eyeing bringing intelligence and military powers into the fight.

Yes, but: The tactic of publicly taunting ransomware victims isn't completely new.

• In 2020, now-defunct ransomware gang REvil stole files from a New York-based celebrity law firm and publicly threatened to leak hundreds of gigabytes of files, including contracts, nondisclosure agreements and more if a $42 million payout wasn't made.
• Kurtis Minder, CEO of ransomware negotiation company GroupSense, told Axios he's also seen bad actors take their threats to Twitter and call employees of a victim organization to put more social pressure on executives to pay.

The intrigue: Increasing public scrutiny on victim organizations doesn't guarantee that gangs will get a payout.

• For some organizations, threatening them publicly could just embolden their decision to not pay the bad actors, Minder said.
• But Minder said he's also been in situations where operators are extorting so many victims at once that they seemingly forget to leak the data once the deadline for a payout passes.
• "You just get lost in the shuffle because you're one of 100 victims they're fielding right now," Minder said.

Sign up for Axios’ cybersecurity newsletter Codebook here.