Mar 14, 2023 - Technology

Ransomware gangs fine-tune extreme blackmail tactics

Illustration of binary code under a box trap

Illustration: Sarah Grillo/Axios

Ransomware gangs are starting to go public with the sensitive information they steal to ensure victims pay up.

Driving the news: In the last week alone, ransomware criminals have threatened to leak private photos from breast cancer patients' files and published a video showcasing the data they could access while digging through Minneapolis Public Schools' systems.

The big picture: It's rare for ransomware criminals to publicly detail the specific pieces of data they were able to steal during an attack.

  • Usually, criminal gangs flaunt these findings to victims only in private negotiations, rarely discussing their precise findings in public.
  • Now, as reports find that ransom payouts are dropping, criminals are trying a new tactic to publicly shame victims into paying: combing through the data sets and publicly detailing the most confidential bits.

Zoom out: Ransomware gangs have started moving away from traditional, encryption-based attacks to focus on data extortion.

  • A ransomware attack typically involves hackers installing file-encrypting software onto an organization's networks and then demanding payment to unlock those files and systems.
  • But over the years, more gangs have started also stealing data before encrypting a system and demanding a second payout to prevent a leak.

What they're saying: "It seems to be accelerating and happening more frequently," Chester Wisniewski, field chief technology officer of applied research at Sophos, told Axios.

  • "There's only a handful of times I can remember the extortion becoming public and having specific things that were stolen that were used as part of the demand," he added.

Between the lines: Brett Callow, a threat analyst at Emsisoft, told Axios that with fewer victims paying ransomware gangs, cybercriminals are now "looking for ways to increase their conversion rates."

  • Ransomware gangs — many of whom are based in Russia — have also become more aggressive since the war in Ukraine began, Wisniewski added.

State of play: Gangs have started feeling a squeeze and pressure to try out new tactics in the last year.

Yes, but: The tactic of publicly taunting ransomware victims isn't completely new.

  • In 2020, now-defunct ransomware gang REvil stole files from a New York-based celebrity law firm and publicly threatened to leak hundreds of gigabytes of files, including contracts, nondisclosure agreements and more if a $42 million payout wasn't made.
  • Kurtis Minder, CEO of ransomware negotiation company GroupSense, told Axios he's also seen bad actors take their threats to Twitter and call employees of a victim organization to put more social pressure on executives to pay.

The intrigue: Increasing public scrutiny on victim organizations doesn't guarantee that gangs will get a payout.

  • For some organizations, threatening them publicly could just embolden their decision to not pay the bad actors, Minder said.
  • But Minder said he's also been in situations where operators are extorting so many victims at once that they seemingly forget to leak the data once the deadline for a payout passes.
  • "You just get lost in the shuffle because you're one of 100 victims they're fielding right now," Minder said.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper