Ransomware Gangs’ New Tactic: Weaponizing Legitimate Entities

ransomware operators
Part of a post on the Monti ransomware leak site

According to Sophos, cybercriminals are continually refining their methods of exerting pressure on victims. Over the past three years, the tactics employed by ransomware operators have undergone significant changes, becoming increasingly sophisticated and perilous.

In 2021, Sophos experts published a list of the top 10 ways ransomware operators intensify pressure on their victims. These included threats to publish stolen data, calls to employees, and notifications to customers and the media about breaches. Three years later, such methods are still in use, but new, more alarming tactics have emerged.

One of the most disturbing trends is the exploitation of legitimate institutions—such as the media, legislative bodies, and law enforcement agencies—as tools of extortion. Criminals are encouraging affected clients and employees to file lawsuits against companies, sometimes even providing contact details of executives to amplify the pressure.

A screenshot of the Space Bears leak site, asking visitors whether they trust targeted companies with their data

Another new tactic involves using stolen data to find evidence of illegal activities or non-compliance with regulations. This information is then leveraged for further blackmail and to damage the victims’ reputations. For example, one ransomware group claimed to conduct a “criminal legal assessment” of stolen data to identify violations and use them as leverage.

Particularly noteworthy are instances where attackers seek to discredit their victims by accusing them of unethical or negligent behavior. These actions aim to inflict reputational damage and portray the criminals as “noble avengers” supposedly exposing corruption and wrongdoing.

Some ransomware groups go even further, threatening to release highly sensitive information, including medical records, intimate images, and even personal details of executives’ family members. In one case, criminals published the identification documents of a company’s CEO’s daughter, along with a link to her social media profile.

The threats to release confidential data are often accompanied by intimidation and even direct threats of physical harm. For instance, in one case, attackers threatened clients of an oncology clinic with so-called swatting—a false emergency call to law enforcement at the victim’s address, which can lead to severe consequences, including loss of life.

The situation is exacerbated by the fact that many criminals seek to exploit any available legal means to achieve their goals. They not only threaten with their actions but also actively draw attention to instances of non-compliance with regulations to increase pressure on companies and force them to pay the ransom.

Thus, there is an escalation in the tactics of cybercriminals, who are increasingly moving beyond the digital realm and employing real-world threats to achieve their objectives. Unfortunately, the likelihood that such methods will continue to evolve remains high.

To protect against these threats, Sophos experts recommend employing advanced security measures and seeking professional assistance in the event of an attack. Safeguarding data and preserving the reputation of companies in the face of growing threats are becoming priorities for all organizations confronting cyber threats.

Related Posts: