Ransomware Groups Using Heinous Tactics to Extort Victims

More ransomware groups are using more heinous extortion tactics to pressure victims into paying ransom demands. Threat operators from Russia’s BlackCat ransomware group targeted a physician office in Lackawanna County, Pennsylvania, which is part of the Lehigh Valley Health Network (LVHN). LVHN stated that the cyberattack included a patient photosystem associated with radiation oncology treatment. According to the healthcare organization, BlackCat demanded a ransom, however, LVHN refused to pay the criminal organization. After a few weeks, BlackCat threatened to reveal system data that had been taken. BlackCat wrote on their dark-web extortion site that the case would be extensively reported and would do significant damage to the company. Threat operators released three screenshots of cancer patients undergoing radiation treatment and seven documents containing patients’ information. The medical images are intimate and graphic, showing patients’ nude breasts from various angles and positions.

Evil Extortion Tactics By Ransomware Groups

Even though hospitals and healthcare facilities have been ransomware groups’ favorite targets, researchers believe the scenario at LVHN can signal a shift in threat operators’ desperation and willingness to use ruthless extreme measures as ransomware targets are increasingly refusing to pay the ransom. With fewer victims paying the ransom, ransomware threat actors are becoming more aggressive in their extortion techniques. Researchers explained that when it comes to brutal escalations, the emerging ransomware group Medusa uploaded sample data seized from Minneapolis Public Schools in a February attack and demanded a $1 million ransom. Scans of handwritten notes were included in leaked screenshots describing the allegations of sexual assault and the names of a male student and two female students involved in the incident. The school district has over 36,000 students, however, the data appears to include student, faculty, and parent records dating back to 1995.

Medusa produced a 50-minute-long video in which threat operators seemed to scroll through and evaluate all the data they acquired from the school, an unorthodox method for promoting what information they presently had. On its dark website, Medusa provides three buttons: pay $1 million to acquire the stolen MSP data, the school district to pay the ransom and have the stolen data deleted, or pay $50,000 to extend the ransom deadline by a day.

A threat analyst believes that ransomware groups need to have a balance between forcing their victims into paying the ransom and not using heinous, terrible, evil tactics that victims don’t want to deal with. Because targets aren’t paying the demands as frequently, groups are pushing harder. Ransomware attacks are bad publicity, however not as severe as before and it’s bad publicity for companies to pay ransom to groups that commit terrible, heinous acts. Public pressure is undeniably increasing. LVHN responded to the leaked patient photos by issuing a statement that the terrible criminal conduct takes advantage of patients receiving cancer treatment and condemns the despicable behavior.

In its annual Internet Crime Report, the FBI Internet Crime Complaint Center (IC3) stated that it received 2,385 ransomware attack reports that totaled $34.3 million in losses in 2022. In 2021, there were 3,729 ransomware complaints that total $49 million in losses. It has been difficult for the FBI to determine the exact of ransomware victims since numerous infections go unreported to law enforcement.

The report, however, clearly mentions evolving and more aggressive extortion tactics. In 2022, the FBI stated that the IC3 had witnessed a surge in an additional extortion method used to promote ransomware. Threat actors are pressuring victims to pay the ransom by threatening to reveal stolen data if they refuse to pay. The development is a sign that efforts to fight ransomware groups are working.

Companies have the resources and tools to fight paying ransoms, threat operators may eventually be unable to obtain the desired money and will stop ransomware entirely. However, the shift towards more aggressive methods comes with risks. Ransomware groups have committed heinous acts, however, they targeted adults, not sick cancer patients or school kids. People are hoping that these tactics will backfire on the ransomware groups and companies refuse to pay groups that commit such heinous acts.

With new and current ransomware groups using more despicable attack tactics to receive ransom payments, it’s important for companies to remain alert to the current threat landscape and regularly keep offline backups of their data networks. At SpearTip, our certified engineers working 24/7/365 at our Security Operations Center continuously monitor companies’ data networks for potential ransomware attacks and are ready to respond to incidents at a moment’s notice. Our remediation team works to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets.

ShadowSpear Platform, our managed detection and response tool, allows our engineers to detect sophisticated unknown and advanced ransomware groups using comprehensive insights through unparalleled data normalization. Our detailed Pre-Breach Assessment extends beyond simple compliance and audit checks; we examine your entire security posture in a comprehensive process. We utilize the latest tactics, techniques, and procedures to provide a comprehensive evaluation of your internal and external security posture and assist in navigating the remediation roadmap.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.