Sophos X-Ops: Ransomware gangs escalating tactics, going to ‘chilling’ lengths

Posting sensitive data about executives’ family members. Making prank calls to law enforcement that result in violence and even death. Snitching on organizations that don’t pay. Scouring stolen data for evidence of enterprise or employee wrongdoing. Portraying themselves as vigilantes with the public good in mind. 

Ransomware actors are escalating their tactics to new, often disturbing heights, according to new research from Sophos X-Ops. 

Christopher Budd, director of threat intelligence at the Threat Response Joint Task Force, even called some of their actions “chilling.”

“One thing is clear: Attackers are looking not just at technical levers to pull but human levers they can pull,” Budd told VentureBeat. “Organizations have to think about how attackers are trying to manipulate these human levers.”

Threats, seeking out wrongdoing, alerting authorities

That most “chilling” example identified by Budd involved a ransomware group doxing a CEO’s daughter, posting screenshots of her identity documents, as well as a link to her Instagram profile.

“That smacks of old-school mafia, going after people’s families,” said Budd. 

Ultimately, threat actors are “increasingly comfortable” leaking other extremely sensitive data such as medical records (including those of children), blood test data and even nude images. 

Also alarmingly, they are using phone calls and swatting — that is, making fake calls alleging violence or open shooters at a certain address. This has resulted in at least one death and serious injury. 

In another shift, attackers are now not just locking up data or carrying out a denial of service attack, “They’re stealing the data and now they’re looking into it to see what they can find,” said Budd. For instance, many claim they assess stolen data for evidence of illegal activity, regulatory noncompliance and financial misdoings or discrepancies. 

One group, the WereWolves, claimed on their leak site that they subject stolen data to “a criminal legal assessment, a commercial assessment and an assessment in terms of insider information for competitors.” As a means to further those efforts, Sophos X-Ops found that at least one threat actor seeks out recruits who can find examples of wrongdoing to use as leverage for extortion. One ad on a criminal forum sought out someone to look for “violations,” “inappropriate spending,” “discrepancies” and “cooperation with companies on sanction lists.” 

The gang also offered this piece of advice: “Read through their emails and look for keywords like ‘confidential’”

In one “particularly disturbing” instance, a group identifying as Monti purported that an employee at a compromised organization was searching for child sexual abuse material while on the clock. They threatened: “If they don’t pay up, we’ll be forced to turn over the abuse information to the authorities, and release the rest of the information to the public.”

Interestingly, attackers also turn the tables on target organizations by reporting them to police or regulatory bodies when they don’t pay up. This was the case in November 2023 when one gang posted a screenshot of a complaint it lodged with the Securities and Exchange Commission (SEC) against publicly traded digital lending company MeridianLink. Under a new rule, all publicly traded companies must file disclosures with the SEC within four days of learning of a security incident that could have “material” impact.

“It may seem somewhat ironic that threat actors are weaponizing legislation to achieve their own illegal objectives,” X-Ops researchers write, “and the extent to which this tactic has been successful is unclear.”

Portraying themselves as sympathizers

To make themselves appear grassroots or altruistic — and apply further pressure — some cybercriminals are also encouraging victims whose personally identifiable information (PII) has been leaked to “partake in litigation.” They also openly criticize their targets as “unethical,” “irresponsible,” “uncaring” or “negligent,” and even attempt to ‘flip the script’ by referring to themselves as “honest…pentesters,” or a “penetration testing service” that conducts cybersecurity studies or audits. 

Taking this a step further, attackers will name specific individuals and executives that they claim are “responsible for data leakage.” Sophos X-Ops researchers point out that this can serve as a “lightning rod” for blame; cause reputational damage; and “menace and intimidate” leadership. 

Researchers often point out that this criticism continues after negotiations have broken down and victims don’t fist over the funds. 

Finally, ransomware gangs aren’t hiding away from the world in dark basements or abandoned warehouses (as is the cliche) — increasingly, they are seeking media attention, encouraging their outreach, touting recent coverage and even offering FAQ pages and press releases. 

Previously, “the idea of attackers regularly putting out press releases and statements — let alone giving detailed interviews and arguing with reporters — was absurd,” Sophos X-Ops researchers wrote in a report late last year. 

Enterprises: Be very vigilant

But why are threat actors taking such drastic measures? 

“Frankly just to see if they work so that they get paid,” said Budd. “Ultimately that’s what it comes down to. Cyber criminals are business people and they want their money.”

They are “aggressively innovative” and going down these paths to ratchet up pressure for significant payouts, he noted.

For enterprises, this means continuing to be ever-vigilant, said Budd. “Basically the standard guidance around ransomware applies,” he said. This means keeping systems up to date and patched, running strong security software, ensuring systems are backed up and having a disaster recovery/business continuity plan in place. 

He noted that “they’re going to see that some risks they already worry about and manage now have a ransomware cybersecurity element to it.” This includes corporate espionage, which has always been around as a risk.

Budd also cautioned about the ongoing risk of bad employee behavior — which, as in the case of the worker searching for child sexual abuse material, now has a cybersecurity element to it. 

Simply put, he emphasized that enterprises “can and should be doing all the things we’ve been saying they should do to protect against ransomware.”