Ransomware Groups Weaponise Stolen Data To Pressurise Targets Refusing Payment: Sophos

Cybersecurity company Sophos has released a new dark web report that shows how cybercriminals are weaponising stolen data to increase pressure on targets who refuse to pay. This includes sharing the contact details or publicising information about the family members of targeted CEOs and business owners, as well as threatening to report potential illegal business activities uncovered in stolen data to the authorities.

In the report, Sophos shared posts found on the dark web that show how ransomware gangs refer to their targets as “irresponsible and negligent,” and in some cases, encourage individual victims whose personal information was stolen to pursue litigation against their employer.

Threat actors claim to assess stolen data for evidence of illegal activity, regulatory noncompliance and financial discrepancies, which can be used as further leverage and to inflict reputational damage.

Some actors also threaten to notify customers, partners and competitors, with the intent to generate and intensify pressure from multiple angles and sources: media attention, customers, clients, other companies and potentially regulatory bodies.

“Sophos began taking note of ransomware gangs’ propensity to turn the media into a tool they can use to not only increase pressure on their victims but take control of the narrative and shift the blame. We are also seeing gangs singling out the business leaders they deem ‘responsible’ for the ransomware attack at the companies they target,” said Christopher Budd, director, threat research, Sophos.

“In a different post, the attackers encouraged employees to seek ‘compensation’ from their company, and, in other cases, the attackers threatened to notify customers, partners and competitors about data breaches,” Budd said.

Sophos also found multiple posts by ransomware attackers detailing their plans to search for information within stolen data that could be used as leverage if companies don’t pay. In one post, a ransomware actor noted that any stolen data is subject to “a criminal legal assessment, a commercial assessment and an assessment in terms of insider information for competitors.”

In another example, a ransomware group said that it found an employee at a targeted company searching for child sexual abuse material and threatened to go to the police with the information if the company didn’t pay the ransom.

These posts align with a broader trend of criminals seeking to extort companies with increasingly sensitive data relating to employees, clients or patients, including mental health records, medical records of children and even blood test data. In one case, a ransomware group posted the personal data of a CEO’s daughter, as well as a link to her Instagram profile, according to Sophos.

While many ransomware gangs are still using older pressure tactics, there appears to have been an escalation, the report showed. However, it’s not clear whether this is driven by increasing numbers of victims opting not to pay ransoms, competition from other threat actors or ransomware groups feeling increasingly emboldened.

“Ransomware gangs are becoming increasingly invasive and bold about how and what they weaponise. Compounding pressure for companies, they’re not just stealing data and threatening to leak it, but they’re actively analysing it for ways to maximise damage and create new opportunities for extortion,” said Budd.