At least some ransomware gangs are upping the ante with threats like doxxing family members of executives, weaponizing the police, and leaking embarrassing internal materials ranging from nude photos to evidence of illegal activity, according to recent research by security firm Sophos.
The report details a number of incidents in which attackers went much further than merely encrypting or stealing data—like threatening to leak patient data that includes “images of nude patients” or sending threatening messages to secondary victims like spouses of executives.
“What is apparent is that all the tactics we discuss here are designed to intimidate targeted organizations and people linked to them,” researchers wrote in the report.
According to Chet Wisniewski, director and global field CTO at Sophos, the company hasn’t seen enough of these incidents to characterize them as a trend. Instead, the hackers appear to be testing how lucrative these threats can be—an experiment he hopes doesn’t pan out.
Wisniewski sat down with IT Brew to discuss the report’s findings.
This interview has been edited for length and clarity.
What was the most important finding of this report?
The one that stands out to me that’s the most dangerous, scary, the one that’s most likely to succeed, is going after and doxxing family members of the executives. [There is] an example in there of a CEO’s daughter—they had her passport photo, they had all kinds of information about her…I mean, if you attack a school, the students are complete innocents, they couldn’t do anything to protect the information.
But in this case, it’s like targeting an individual with potentially physical violence. And when that’s connected to a CEO, I could very much see that being a much stronger factor in a decision about learning to pay a ransom than most of this other stuff. Every time I’ve talked with victims and had conversations with people involved in incident response for ransomware, it’s usually a careful business calculus that determines whether they decide to pay a ransom or not…But I think threatening the CEO’s daughter goes to a whole other level of, “Actually, I’m just going to pay the ransom, because now, like, it’s potentially impacting my family’s safety, and that’s disturbing.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
There’s also a piece in there that covers the return of abuse as swatting, no different than videogamers have done historically, which again gets into really dangerous territory. When people come to anyone’s house with a gun, especially in the US, there’s a chance for an accident to happen.
What do you think accounts for them being increasingly comfortable with these more extreme tactics?
It looks to me that the enterprises are getting better and better at defending themselves. So, the criminal gangs that are big-game hunters that are going after those enterprises are trying to get these higher and higher ransom amounts, and are willing to deploy bespoke tactics against individual people in order to try to ratchet up that pressure and get the high dollar amounts.
Because if you attack 50 Fortune 500 companies, you’re probably only going to get into one, maybe two—most of them have pretty good security…They’re harder. But if you can win, you get the [million-dollar] ransoms. Whereas on the thick of the mid-market and smaller market, one, it’s too time intensive to use these tactics. You’re getting lots more victims, and you’re not going to bother, because the yields are still pretty high, because their security is quite low…With that many victims to exploit, you’re not going to bother figuring out who their daughter is and stealing a passport photo.