{"id":25028,"date":"2024-08-06T03:20:57","date_gmt":"2024-08-06T11:20:57","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/08\/06\/news-18758\/"},"modified":"2024-08-06T03:20:57","modified_gmt":"2024-08-06T11:20:57","slug":"news-18758","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/08\/06\/news-18758\/","title":{"rendered":"Turning the screws: The pressure tactics of ransomware gangs"},"content":{"rendered":"<p><strong>Credit to Author: Matt Wixey| Date: Tue, 06 Aug 2024 10:00:49 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Back in 2021, Sophos X-Ops <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/10\/28\/the-top-10-ways-ransomware-operators-ramp-up-the-pressure-to-pay\/\">published an article<\/a> on the top ten ways ransomware operators ramp up pressure on their targets, in an attempt to get them to pay. Last year, X-Ops revealed that threat actors have since developed <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/12\/13\/press-and-pressure-ransomware-gangs-and-the-media\/\">a symbiotic relationship with sections of the media<\/a>, leveraging news articles as extortion pressure. Three years on, threat actors continue to adapt and change their tactics to increase leverage against their targets.<\/p>\n<p>The methods we described in the 2021 article \u2013 such as threats to publish data, calling employees, and notifying customers and the media about breaches \u2013 are all still in use today. However, ransomware gangs are adopting some new, and concerning, tactics.<\/p>\n<p>A brief summary of our findings:<\/p>\n<ul>\n<li><strong>Ransomware operators increasingly weaponize legitimate entities<\/strong> \u2013 such as the news media, legislation, civil regulatory enforcement authorities, and even law enforcement \u2013 to ramp up pressure on victims<\/li>\n<li><strong>In some cases, criminals encourage affected customers and employees to claim compensation, or launch litigation<\/strong> \u2013 sometimes providing the names and contact details of CEOs and business owners<\/li>\n<li><strong>Threat actors claim to assess stolen data for evidence of illegal activity<\/strong>, regulatory noncompliance, and financial discrepancies \u2013 all of which can be used as further leverage and to inflict reputational damage<\/li>\n<li><strong>Ransomware criminals openly criticize their victims<\/strong>, and will sometimes attempt to deride them as unethical or negligent, which can also cause reputational damage \u2013 as well as contributing to some threat actor groups\u2019 attempts to \u2018flip the script\u2019 and portray themselves as beneficent vigilantes<\/li>\n<li><strong>Ransomware operators appear to be increasingly comfortable with stealing and leaking extremely sensitive data<\/strong>, including medical records, nude images, and, in one case (as we\u2019ll cover later), the personal details of a CEO\u2019s daughter<\/li>\n<\/ul>\n<h2>Legislation and litigation<\/h2>\n<p>Something we didn\u2019t see much, if any of, in 2021 was ransomware actors weaponizing legislation, or encouraging secondary victims of their attacks \u2013 such as clients, customers, and employees \u2013 to launch lawsuits, in order to increase pressure on targeted organizations. However, we\u2019ve seen several recent examples of this.<\/p>\n<p>In November 2023, ALPHV\/BlackCat filed a Security and Exchange Commission (SEC) complaint <a href=\"https:\/\/www.scmagazine.com\/news\/hacker-group-files-sec-complaint-against-its-own-victim\">against one of its own victims<\/a>. The threat actor alleged that the company had failed to notify the SEC of the breach within the four days required under the <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/31\/understanding-the-new-sec-cybersecurity-rules-a-guide-for-executives\/\">new final rules<\/a> (which, while <a href=\"https:\/\/www.sec.gov\/news\/press-release\/2023-139\">adopted in July 2023<\/a>, did not actually come into force until <a href=\"https:\/\/www.sec.gov\/news\/press-release\/2023-139\">December of that year<\/a>).<\/p>\n<p>We saw threats to expose non-compliance in other contexts, too. In some cases, it\u2019s something for which threat actors appear to be specifically searching. As we reported in our December 2023 piece on <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/12\/13\/press-and-pressure-ransomware-gangs-and-the-media\/\">the relationship between ransomware gangs and the media<\/a>, at least one threat actor appears to be actively recruiting for people to look for instances of non-compliance and financial irregularities \u2013 possibly to use this as leverage for extortion.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image1_6cf59f.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956392\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image1_6cf59f.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"120\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image1_6cf59f.png 1558w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image1_6cf59f.png?resize=300,56 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image1_6cf59f.png?resize=768,144 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image1_6cf59f.png?resize=1024,192 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image1_6cf59f.png?resize=1536,288 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: A threat actor posts a recruitment ad on a criminal forum, seeking someone to look for \u201cviolations,\u201d \u201cinappropriate spending,\u201d \u201cdiscrepancies,\u201d and \u201ccooperation with companies on sanction lists.\u201d It\u2019s not clear that this is linked specifically to ransomware<\/em><\/p>\n<p>It\u2019s worth noting that this sort of activity can require considerable expertise \u2013 as noted by one threat actor on a criminal forum below (Figure 2) \u2013 but is likely still attractive to ransomware operators if it provides them with more ammunition.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image2_c74e44.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956393\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image2_c74e44.png\" alt=\"A screenshot from a criminal forum\" width=\"640\" height=\"162\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image2_c74e44.png 703w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image2_c74e44.png?resize=300,76 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: A threat actor provides some advice on finding \u201cinconsistencies in tax reporting\u201d on a criminal forum<\/em><\/p>\n<p>At least one other ransomware group claims to do this type of research. The WereWolves threat actor notes, on its leak site, that it subjects stolen data to \u201ca criminal legal assessment, a commercial assessment and an assessment in terms of insider information for competitors.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image3_5cc32a.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-956394 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image3_5cc32a-e1721735563709.png\" alt=\"A screenshot from a ransomware leak site\" width=\"1430\" height=\"202\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image3_5cc32a-e1721735563709.png 1430w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image3_5cc32a-e1721735563709.png?resize=300,42 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image3_5cc32a-e1721735563709.png?resize=768,108 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image3_5cc32a-e1721735563709.png?resize=1024,145 1024w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/a><\/p>\n<p><em>Figure 3: An excerpt from the WereWolves ransomware leak site<\/em><\/p>\n<p>We noted one particularly disturbing example, where the Monti ransomware gang claimed that an employee at a compromised organization had been searching for child sexual abuse material. The threat actor posted a screenshot of a browser history window, along with a PowerShell window showing the alleged username of the offender. Monti went on to state that \u201cif they don\u2019t pay up, we\u2019ll be forced to turn over the abuse information to the authorities, and release the rest of the information to the public.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image4_7a5c39.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956395\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image4_7a5c39.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image4_7a5c39.png 1038w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image4_7a5c39.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image4_7a5c39.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image4_7a5c39.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: Part of a post on the Monti ransomware leak site<\/em><\/p>\n<p>We also noted an instance of a threat actor encouraging people whose personally identifiable information (PII) appeared in a data breach to \u201cpartake in litigation against the victim.\u201d Moreover, the threat actor also provided a \u201csnippet of the negotiations\u201d and encouraged those affected to \u201cexpress your concerns\u201d to an executive at the targeted organization \u2013 providing not just that individual\u2019s name, but also their telephone number.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image5_a7263a.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-956396 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image5_a7263a-e1721735595917.png\" alt=\"A screenshot from a criminal forum\" width=\"1429\" height=\"223\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image5_a7263a-e1721735595917.png 1429w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image5_a7263a-e1721735595917.png?resize=300,47 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image5_a7263a-e1721735595917.png?resize=768,120 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image5_a7263a-e1721735595917.png?resize=1024,160 1024w\" sizes=\"auto, (max-width: 1429px) 100vw, 1429px\" \/><\/a><\/p>\n<p><em>Figure 5: A threat actor posts on a criminal forum, providing material for \u201cthose who wish to partake in litigation against the victim\u201d<\/em><\/p>\n<p>This tactic of naming specific individuals \u2013 along with contact details \u2013 is used by more than one ransomware gang. The Qiulong group, for example, regularly includes the details of CEOs and business owners on its leak site, often accompanied by insults, personal information, and accusations of negligence.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image6_d21fca.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956397\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image6_d21fca.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"585\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image6_d21fca.png 880w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image6_d21fca.png?resize=300,274 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image6_d21fca.png?resize=768,702 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 6: A post on the Qiulong ransomware leak site. Note the reference (redacted in the image above) to a specific make of car the CEO drives<\/em><\/p>\n<p>Similarly, the Snatch threat actor regularly names specific individuals as \u201cresponsible\u201d for data breaches.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/08\/image-7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956667\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/08\/image-7.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"251\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/08\/image-7.png 724w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/08\/image-7.png?resize=300,118 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 7: A post on the Snatch leak site, which names a specific individual who Snatch claims is \u201cresponsible for data leakage\u201d<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956399\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image8.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"486\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image8.png 871w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image8.png?resize=300,228 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image8.png?resize=768,583 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 8: The Snatch threat actor explains its reasoning for including the personal data of business owners and authority figures on its leak site<\/em><\/p>\n<p>In one case, we noted that the Monti ransomware group had not just named a business owner and published their Social Security number, but had also posted an image of them, crudely edited to include devil horns and a speech bubble reading \u201cI\u2019m a dumb p***y who doesn\u2019t care about my clients.\u201d<\/p>\n<p>From the perspective of ransomware operators, referring to specific individuals serves three purposes. First, it provides a \u2018lightning rod\u2019 for any subsequent blame, pressure, and\/or litigation. Second, it contributes to the threat of reputational damage (covered in the next section). And third, personal attacks can menace and intimidate the leadership of the targeted organization.<\/p>\n<p>It may seem somewhat ironic that threat actors are weaponizing legislation to achieve their own illegal objectives, and the extent to which this tactic has been successful is unclear. However, when used, it likely adds to the already considerable pressure experienced by C-suite executives \u2013 particularly in the context of at least <a href=\"https:\/\/www.cybersecuritydive.com\/news\/uber-cso-convicted\/634332\/\">one CEO previously being convicted<\/a> following legal action related to a ransomware attack. While out of scope for this particular article, it\u2019s worth noting that the current legal landscape pertaining to the personal risk and accountability of CEOs and CISOs in such situations appears uncertain. While we\u2019re not aware of any convictions arising from ransomware groups referring breach information to regulators or law enforcement, that doesn\u2019t mean it won\u2019t happen in the future \u2013 and the possibility is likely to be of concern to C-suites.<\/p>\n<p>Moreover, the fact that some ransomware operators claim to take a vigilante role to expose wrongdoing, irregularities, and criminal activity within organizations presents an interesting ethical issue, despite the irony that doing so supports their own criminal activity.<\/p>\n<h2>Ethics, reputational damage, and embarrassment<\/h2>\n<p>In Figure 4 above, the WereWolves ransomware group claimed to expose (and threatened to report) serious criminal activity allegedly occurring at an organization. While this in no way negates the illegality and seriousness of ransomware attacks, it raises an ethical dilemma: Which is worse, the ransomware attack itself, or the attackers&#8217; revelation of potentially criminal activity taking place within the organization that was victimized?<\/p>\n<p>Many ransomware criminals thrive in this ethical grey area, and want to appear moral, ethical, or genuinely concerned about security and confidentiality. As we noted in <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/12\/13\/press-and-pressure-ransomware-gangs-and-the-media\/\">our previous article on this topic<\/a>, numerous ransomware gangs are attempting to \u2018flip the script\u2019 and portray themselves as a force for good, by referring to themselves as \u201chonest\u2026pentesters\u201d, or as a \u201cpenetration testing service\u201d conducting \u201ccybersecurity [studies]\u201d or \u201csecurity audit[s].\u201d Of course, legitimate penetration testers operate with the prior permission of, and under parameters set by (and sometimes, active supervision by) the companies who hire them; ransomware criminals do not.<\/p>\n<p>Cactus, for instance, describes itself as a \u201cDirect Security Audit Agency (DSAA) revolutionizing a customer journey, one hyper-targeted solution at a time.\u201d The language here is \u2013 probably intentionally \u2013 reminiscent of corporate marketing material.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956400\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image9.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"495\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image9.png 1104w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image9.png?resize=300,232 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image9.png?resize=768,594 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image9.png?resize=1024,792 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 9: On the FAQ page on its leak site, the Cactus ransomware group claims that it conducts \u201cnetwork security audits\u201d<\/em><\/p>\n<p>In contrast, many ransomware gangs refer to their targets as \u201cirresponsible,\u201d \u201cnegligent,\u201d or uncaring.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956401\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image10.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"205\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image10.png 1495w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image10.png?resize=300,96 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image10.png?resize=768,247 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image10.png?resize=1024,329 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 10: The 8Base leak site mentions \u201cirresponsible processing of\u2026personal data and business secrets\u201d and includes the statement that \u201cwe are sorry that you were affected by companies\u2019 negligent attitude to the privacy and security of their customers\u2019 personal data.\u201d Note the claim that this \u201cgives you the opportunity to request compensation\u201d<\/em><\/p>\n<p>Of particular interest in Figure 10 is 8Base\u2019s promise that they will \u201cremove personal information from disclosure on demand\u2026at no cost to you,\u201d following requests from individual clients of the targeted organization.<\/p>\n<p>Again, this is (perhaps) an attempt to make the group appear reasonable and ethical, but it\u2019s also combined with a pressure tactic aimed at the organization. In the same paragraph, 8Base notes that \u201cin addition we will provide your data set that you can use in a lawsuit to compensate the damage caused to you.&#8221;<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956402\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image11.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"308\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image11.png 888w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image11.png?resize=300,145 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image11.png?resize=768,370 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 11: In a post on its leak site, the Blacksuit ransomware group claims that the management of a targeted organization \u201cdoes not care about you or your personal information&#8221;<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956403\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image12.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"540\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image12.png 995w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image12.png?resize=300,253 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image12.png?resize=768,648 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 12: A screenshot of the Space Bears leak site, asking visitors whether they trust targeted companies with their data<\/em><\/p>\n<p>In many cases, this criticism continues after negotiations have broken down and victims have decided not to pay. For instance, the Karakurt group, in a \u2018press release,\u2019 called out a hospital after it failed to pay a ransom.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956404\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image13.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"276\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image13.png 686w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image13.png?resize=300,129 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 13: The Karakurt group criticizes a hospital after it failed to pay the ransom, calling it \u201cdishonest and irresponsible\u201d<\/em><\/p>\n<p>Typically, in the context of exposing security weaknesses and negligence, ransomware operators portray themselves as morally superior to their targets. Occasionally, the waters are muddied further.<\/p>\n<p>The Malas ransomware gang, for example, demands that its victims \u201cmake a donation to a nonprofit of their choice.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956405\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image14.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"653\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image14.png 733w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image14.png?resize=294,300 294w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image14.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image14.png?resize=50,50 50w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image14.png?resize=64,64 64w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 14: An excerpt from a post on the Malas ransomware gang\u2019s leak site. The quotation in the last response is attributed to financier Warren Buffet<\/em><\/p>\n<p>Other threat actors have previously adopted a similar approach. In 2022, for example, <a href=\"https:\/\/www.cybertalk.org\/2022\/05\/25\/robin-hood-ransomware-demands-goodwill-ransom-for-charity\/\">the GoodWill ransomware group<\/a> demanded that victims perform charitable activities \u2013 such as feeding poor children, or providing clothes and blankets to the unhoused \u2013 and post video evidence online. In 2020, the Darkside ransomware gang <a href=\"https:\/\/www.bbc.co.uk\/news\/technology-54591761\">claimed to have donated a proportion of its gains to two charities<\/a>. As far as we can tell, there were no known victims of the GoodWill ransomware strain, so we don\u2019t know if the tactic was successful, and at least one of the two charities to which Darkside donated funds stated that it would not be keeping the money.<\/p>\n<p>Malas, however, takes things a step further. In addition to requiring charitable donations, it also explicitly criticizes specific organizations on the basis of alleged ethical shortcomings \u2013 arguably combining ransomware with hacktivism.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-956406\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image15-e1721735688343.png\" alt=\"A screenshot from a ransomware leak site\" width=\"701\" height=\"233\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image15-e1721735688343.png 1215w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image15-e1721735688343.png?resize=300,100 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image15-e1721735688343.png?resize=768,255 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image15-e1721735688343.png?resize=1024,340 1024w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><\/a><\/p>\n<p><em>Figure 15: A post on the Malas leak site following an attack on a collection agency (a company that attempts to recover debts on behalf of creditors)<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956407\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image16.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"297\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image16.png 679w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image16.png?resize=300,139 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 16: Another post on the Malas leak site, referring to an attack on an organization in the natural resources sector<\/em><\/p>\n<p>Malas admits that this approach has not been particularly successful. On its FAQ, its response to the question \u201cHas it been effective?\u201d is an unequivocal \u201cSo far, no.\u201d Interestingly, the author of the FAQ claims that one of the reasons for this is that victims \u201cwon\u2019t send money to genuine grass-roots organizations.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956408\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image17.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"514\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image17.png 648w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image17.png?resize=300,241 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 17: Malas goes into some detail as to why it believes its approach has not been effective<\/em><\/p>\n<p>However, in attempting to present its targets as morally deficient, Malas is essentially no different to its peers. It leverages the threat of reputational damage, in the same way that other ransomware gangs do. The intent is to reduce trust and good faith, with the proposed solution being for the target to pay up and therefore negate, at least partially, any adverse impact.<\/p>\n<p>Malas is also no different to its peers when it comes to its communications with victims. Like other ransomware groups, it threatens to sell or publish data and inform journalists and customers.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-956409\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image18-e1721735736958.png\" alt=\"A screenshot from a ransomware leak site\" width=\"791\" height=\"184\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image18-e1721735736958.png 1372w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image18-e1721735736958.png?resize=300,70 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image18-e1721735736958.png?resize=768,179 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image18-e1721735736958.png?resize=1024,238 1024w\" sizes=\"auto, (max-width: 791px) 100vw, 791px\" \/><\/a><\/p>\n<p><em>Figure 18: An excerpt from the Malas leak site<\/em><\/p>\n<p>The prevalence of this threat was something we noted both in our article on ransomware gangs and the media, and in our 2021 examination of ransomware pressure tactics. Conscious that many news outlets are keen to publish stories on ransomware, and that media attention may compound reputational damage to organizations and increase the pressure to pay up, many ransomware gangs explicitly make this threat on their leak sites, and will solicit media coverage and communication with journalists.<\/p>\n<p>In addition, some threat actors also threaten to notify customers, partners, and competitors. The intent here is to generate and intensify pressure from multiple angles and sources: media attention, customers, clients, other companies, and potentially regulatory bodies too.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image19.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956410\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image19.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"385\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image19.png 1075w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image19.png?resize=300,180 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image19.png?resize=768,462 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image19.png?resize=1024,615 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 19: An excerpt from the FAQ on the Cactus leak site. Note the threats that \u201cit is highly likely that you will be sued,\u201d and that \u201cjournalists, researchers, etc. will dig through your documents, finding inconsistencies or irregularities\u201d<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956411\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image20.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"294\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image20.png 1186w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image20.png?resize=300,138 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image20.png?resize=768,353 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image20.png?resize=1024,471 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 20: An excerpt from the FAQ on the Play leak site. Note that there is some similar wording to the Cactus notice in Figure 19, in the answer to the \u201cWhat happens if we don\u2019t pay?\u201d question<\/em><\/p>\n<p>We noted in our 2021 article that the threat of leaked personal data was a big concern for organizations (and, of course, for the individuals involved), with both privacy and potential legal ramifications. While this is still the case, in recent years ransomware gangs have stepped up their game, sometimes leaking, or threatening to leak, particularly sensitive data.<\/p>\n<h2>Sensitive data, swatting, and more<\/h2>\n<p>Several ransomware groups have published sensitive medical data following attacks. This has included <a href=\"https:\/\/www.politico.eu\/article\/cybercriminal-extorts-finnish-therapy-patients-in-shocking-attack-ransomware-blackmail-vastaamo\/\">mental health records<\/a>, <a href=\"https:\/\/therecord.media\/scotland-nhs-children-records-posted-extortion-ransomware\">the medical records of children<\/a>, and, recently, <a href=\"https:\/\/www.itv.com\/news\/2024-06-21\/nhs-cyber-attack-data-published-online-by-cyber-criminal-group\">blood test data<\/a>.<\/p>\n<p>In a world where data breaches are increasingly commonplace, threatening to leak extremely sensitive data exacerbates the pressure on victim organizations, and can cause considerable distress and concern to those affected.<\/p>\n<p>In some cases, we noticed ransomware gangs explicitly calling this out on their leak site \u2013 noting that stolen data included \u201cimages of nude patients\u201d and \u201cinformation about patients\u2019 sexual problems.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956412\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image21.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"354\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image21.png 684w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image21.png?resize=300,166 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 21: A post on the Qiulong leak site<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956413\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image22.png\" alt=\"A screenshot from a ransomware leak site\" width=\"640\" height=\"358\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image22.png 865w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image22.png?resize=300,168 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image22.png?resize=768,430 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 22: Another post on the Qiulong leak site<\/em><\/p>\n<p>In one particularly concerning example, the Qiulong ransomware group posted screenshots of a CEO\u2019s daughter\u2019s identity documents, along with a link to her Instagram profile.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image23_.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-956419\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image23_.png\" alt=\"A screenshot from a ransomware leak site showing two identity cards (redacted)\" width=\"640\" height=\"433\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image23_.png 760w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/image23_.png?resize=300,203 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 23: The Qiulong ransomware group posts personal data of a CEO\u2019s daughter on its leak site. From the limited context provided, this may have been an act of revenge after negotiations had broken down<\/em><\/p>\n<p>In 2021, we noted that ransomware gangs would sometimes email and call employees and customers in order to increase pressure on organizations. However, in recent years, threat actors appear to be increasingly interested in not merely threatening organizations directly, but also secondary victims, as in Figure 23. For instance, as reported in January 2024, <a href=\"https:\/\/www.bitdefender.co.uk\/blog\/hotforsecurity\/ransomware-attackers-add-swatting-to-their-arsenal-of-threats\/\">attackers threatened to \u2018swat\u2019 patients of a cancer hospital<\/a>, and have <a href=\"https:\/\/www.theregister.com\/2024\/01\/05\/swatting_extorion_tactics\/\">sent threatening text messages to a CEO\u2019s spouse<\/a>.<\/p>\n<p>As we wrote in 2021, ransomware operators will often warn their victims not to contact law enforcement. However, the threat of swatting demonstrates some attackers\u2019 willingness to weaponize law enforcement when it suits them \u2013 not unlike their willingness to weaponize legislation and regulations.<\/p>\n<h2>An escalation in tactics<\/h2>\n<p>While many ransomware gangs are still using the pressure tactics we reported on in 2021, there appears to have been an escalation. It\u2019s not certain whether this is driven by increasing numbers of victims opting not to pay ransoms, competition from other threat actors, ransomware groups feeling increasingly emboldened, or other factors. However, what is apparent is that all the tactics we discuss here are designed to intimidate targeted organizations and people linked to them.<\/p>\n<p>Some ransomware groups will weaponize any legitimate resource to increase the pressure on their targets \u2013 whether that\u2019s the news media, as we explored in our earlier article, law enforcement, or threats of civil legal action or reporting malfeasance to regulatory authorities. While it\u2019s probably too early to say if this approach is effective (and, it\u2019s also worth noting, the threat isn\u2019t always carried out), the criminals\u2019 objective is to generate pressure from multiple angles and sources.<\/p>\n<p>The use of phone calls and swatting also indicate a willingness to move threats from the digital sphere and into the real world. Swatting, in particular, is an extremely dangerous crime that has on some occasions resulted in <a href=\"https:\/\/news.sky.com\/story\/first-ever-uk-swatting-sentence-passed-after-man-shot-in-face-by-armed-unit-due-to-hoax-call-13118559\">injury<\/a> and <a href=\"https:\/\/www.washingtonpost.com\/nation\/2019\/03\/29\/prankster-sentenced-years-fake-call-that-led-police-kill-an-innocent-man\/\">death<\/a>, as well as significant psychological distress.<\/p>\n<p>In the future, ransomware gangs appear likely to continue to devise and employ novel strategies to coerce their victims into paying, and to inflict reputational damage \u2013 and perhaps worse \u2013 if ransoms are not paid.<\/p>\n<p>Sophos has several resources to help defenders protect against ransomware. You can find <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/11\/28\/best-practices-for-securing-your-network-from-ransomware\/\">best practice guidance<\/a>, an anti-ransomware toolkit, a link to our incident response services, and links to several of our ransomware-related reports <a href=\"https:\/\/www.sophos.com\/en-us\/content\/ransomware\">here<\/a>. Specific advice on <a href=\"https:\/\/support.sophos.com\/support\/s\/article\/KB-000036284?language=en_US\">configuring Sophos products to prevent ransomware is also available<\/a>.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/08\/06\/turning-the-screws-the-pressure-tactics-of-ransomware-gangs\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/07\/shutterstock_1894459471.jpg\"\/><\/p>\n<p><strong>Credit to Author: Matt Wixey| Date: Tue, 06 Aug 2024 10:00:49 +0000<\/strong><\/p>\n<p>Sophos X-Ops examines the increasingly aggressive tactics ransomware gangs use to coerce their targets<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[30606,25303,31749,31750,31287,129,26531,31751,28040,1264,31752,19566,20892,31753,3765,23661,27030,31754,16771,31755],"class_list":["post-25028","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-8base","tag-blackcat","tag-blacksuit","tag-cactus","tag-cybercrime-forums","tag-featured","tag-karakurt","tag-malas","tag-marketplaces","tag-media","tag-monti","tag-play","tag-pressure","tag-qiulong","tag-ransomware","tag-snatch","tag-sophos-x-ops","tag-space-bears","tag-threat-research","tag-werewolves"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25028"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25028\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}