Cybercriminals weaponising stolen data in attacks

Sophos' threat research team has published a report detailing the tactics used by cybercriminals to increase pressure on their targets by weaponising stolen data. The report sheds light on how these criminals are threatening to expose personal data and illegal activities uncovered during cyberattacks.

According to the report, ransomware groups are sharing contact details or doxing family members of targeted CEOs and business owners. They are also threatening to report any information about illegal business activities found in the stolen data to the authorities.

One notable case involves the Qiulong ransomware group, which reportedly posted personal data of a CEO's daughter along with a link to her Instagram profile. In another instance, the group encouraged compromised employees to seek compensation from their employers. Additionally, there have been cases where an employee at a targeted company was found searching for child sexual abuse material, and the attackers threatened to go to the police unless a ransom was paid.

"In December 2023, in the wake of the MGM casino breach, Sophos began taking note of ransomware gangs' propensity to turn the media into a tool they can use to increase pressure on their victims and shift the blame," said Christopher Budd, director of threat research at Sophos. "We're observing gangs singling out business leaders they deem responsible for the ransomware attack at the companies they target. These efforts create a lightning rod for blame, increasing the pressure on businesses to pay up and exacerbating the reputational damage from an attack."

The report outlines how ransomware attackers are using the dark web to share stolen data and inflammatory posts about their targets. For instance, attackers have published photos of business owners with derogatory edits, such as devil horns, and released their social security numbers. In some cases, ransomware groups have encouraged employees to pursue litigation against their employers, while in others, they have threatened to notify customers, partners, and competitors about the data breaches.

Sophos X-Ops also highlighted the sophisticated methods used by ransomware attackers to find leverage within stolen data. WereWolves ransomware actors mentioned that any stolen data undergoes a criminal legal assessment, a commercial assessment, and an assessment for insider information useful to competitors. In one example, the Monti ransomware group found an employee at a targeted company searching for child sexual abuse material and threatened to report this to the police if the ransom was not paid.

The report identifies a broader trend of cybercriminals seeking to extort companies by exploiting increasingly sensitive data related to employees, clients, or patients. This includes mental health records, children's medical records, information on patients' sexual issues, and images of nude patients.

Budd noted that ransomware gangs are becoming more invasive and creative in their approach to extortion. "They're not just stealing data and threatening to leak it, but they're actively analysing it to maximise damage and create new opportunities for extortion," he said. "This means organisations have to worry about corporate espionage, loss of trade secrets, illegal employee activities, and these issues compounded with cyberattacks."

The Sophos report underscores the evolving nature of ransomware tactics and the increasing boldness of cybercriminals in leveraging personal and sensitive information to coerce victims into paying ransoms.