What’s new in ransomware gang pressure tactics? Not as much as you might think.
It’s hard to believe, but it has really been 17 years since PogoWasRight.org began blogging about breaches, and it’s been 14 years since this spinoff site, DataBreaches.net, opened. Since then, DataBreaches has often reported on criminals’ tactics to secure payment from victims, especially those in the healthcare sector. Thousands of archived posts on DataBreaches.net provide a useful collection of news items and posts to identify and document historical trends.
Some developments really have been novel, such as the use of a double extortion model and the creation of dark web leak sites to try to name and shame victims into paying demands. Other developments or tactics have not been as enduring or effective.
This month, some news sites report that ransomware attacks may be entering a heinous new phase. Are they really, though? Join me for a stroll down an ugly memory lane because what is being discussed as “new” is not really new at all.
Gang Leaks Nude Photos of Patients
The BlackCat ransomware gang recently leaked some nude photos of cancer patients from a healthcare entity in Pennsylvania that wouldn’t pay their ransom demand. The gang has threatened to leak more. But is this really a sign of any new or escalating trend, as suggested in a report on Wired?
BlackCat is certainly not the first gang to use nude photos of patients and threats of more of the same to try to pressure victims into paying a ransom. The tactic never became a trend before, even though earlier criminals were desperate to secure payment from victims.
DataBreaches remembers back in 2016 when thedarkoverlord (TDO) gleefully posted unredacted photos of identifiable patients of a U.S. medical practice who were amputees in various stages post-surgically. Then in 2017, TDO hacked a prominent plastic surgery clinic in the U.K. and sent news outlets graphic photos of genitalia taken from the surgery’s files. But other than a few images publicly leaked by the threat actors more than a year later when a few celebrity patients of the clinic refused to pay them to delete their files, other photos from the massive trove of images were never leaked publicly. TDO would later claim that the clinic had paid something, but it seemed that TDO never got the payment they wanted and yet still didn’t dump the photos.
TDO wasn’t the only criminal gang threatening to dump nude photos of patients or actually leaking them back then. In 2017, DataBreaches also noted a report that personal records and photos of patients from the Grožio Chirurgija plastic surgery clinic in Lithuania were up for sale on the dark web. The criminals reportedly contacted some of the patients to give them the first opportunity to buy or ransom their own pictures and delete them from public availability.
So is what BlackCat did this month by leaking nude pictures of cancer patients and threatening to leak more really anything new? Not at all. And they should not be rewarded for their vile behavior.
Hopefully, though, entities will be concerned enough that this might happen to them that they will lock down their data better and/or get it offline to protect it better. Will the next medical victim be sued for not protecting sensitive images better when plaintiffs can argue that data theft and public data leaking were foreseeable after the BlackCat leak?
Gang Uses .mp4’s to Show Scope of Attack
Another “new” or alleged escalation that is also not new at all involves the Medusa ransomware gang’s use of a 51-minute .mp4 to show the scope of what they were able to access from Minneapolis Public Schools (MPS).
Some news sites quoted a well-known analyst who said he had never seen anything like that .mp4 usage before, but DataBreaches has seen it — and not just once but numerous times since early 2021.
Both the ALTDOS and DESORDEN groups that DataBreaches reported on frequently have used .mp4 files in their proof of claims and to send to news outlets to encourage media coverage. Unlike the Medusa gang, however, ALTDOS and DESORDEN did not upload to Vimeo and their mp4 files generally included an open letter to their victims.
Nothing New Under the Sun
Despite what quotes from some analysts or experts suggest, DataBreaches respectfully disagrees with them and does not see anything really new or any indications of any new trends at this point when it comes to tactics for pressuring victims to pay.
Could or will either of the two tactics discussed in this post become an actual trend? They never have in the past, and if victims continue to refuse to pay ransom despite these tactics, they will likely not become a trend. But if victims cave in and pay, then we might realistically expect to see more adoption of these strategies. Behavioral principles apply to ransomware tactics and strategies. If you don’t want the behavior to continue or escalate, don’t reward it.