Sophos Report: Ransomware Gangs Escalate Pressure With Stolen Data

Ransomware gangs are increasingly weaponizing stolen data to coerce companies into paying ransoms, according to a new report from cybersecurity firm Sophos.

The report, titled “Turning the Screws: The Pressure Tactics of Ransomware Gangs,” reveals how attackers are resorting to extreme methods, including threatening to expose personal information about employees and their families, and even reporting uncovered illegal activities to authorities if demands are not met.

Sophos, a global leader in cybersecurity solutions, detailed that ransomware gangs are now using media manipulation and personal attacks on business leaders as a form of psychological pressure.

Christopher Budd, director of threat research at Sophos, explained how these groups turn public perception against companies, blaming them for the attacks.

“We are also seeing gangs singling out the business leaders they deem ‘responsible’ for the ransomware attack at the companies they target. In one post we found, the attackers published a photo of a business owner with devil horns, along with their social security number,” Budd said.

This aggressive tactic has been seen in incidents like the December 2023 MGM casino breach, where attackers used public humiliation as a tool to force companies into paying.

According to the report, ransomware gangs are not only threatening to leak sensitive data but are also actively analyzing stolen information for maximum leverage.

In one case, a gang found an employee searching for child sexual abuse material and used this discovery to further pressure the company into paying the ransom.

Sensitive personal data as leverage

Sophos X-Ops, the company’s threat intelligence unit, uncovered several dark web posts by ransomware groups revealing their disturbing methods.

The Qiulong ransomware group, for instance, posted the personal data of a CEO’s daughter, including a link to her Instagram profile.

The WereWolves group mentioned assessing stolen data for insider information that could be sold to competitors or used for blackmail.

These incidents highlight the increasingly invasive nature of ransomware attacks, with stolen data ranging from medical records to highly sensitive employee information.

“Ransomware gangs are becoming increasingly invasive and bold about how and what they weaponize. They’re actively analyzing stolen data to create new opportunities for extortion,” Budd added.

“Organizations now have to worry about corporate espionage, illegal activities by employees, and the added risk of these issues being combined with cyberattacks.”

Pressure tactics target reputation and relationships

The Sophos report emphasizes how ransomware groups are shifting their focus to erode trust between companies and their clients, employees, or partners.

Attackers threaten to notify customers, partners, and even competitors about data breaches if the ransom is not paid, heightening the reputational damage for businesses.

The groups also encourage individual victims whose personal information was compromised to pursue litigation against their employers, further intensifying pressure.

Ransomware gangs like Monti have gone so far as to threaten legal action, claiming they will report uncovered illegal activities within stolen data to law enforcement agencies if ransoms remain unpaid.

Monti is just one of many groups utilizing this tactic to create legal troubles for targeted organizations.

The evolving ransomware threat landscape

This report aligns with broader trends in ransomware, where groups are continually refining their extortion methods.

In addition to data theft, attackers are exploiting unpatched vulnerabilities and employing remote encryption tactics to increase their reach.

Sophos’ X-Ops team has been closely monitoring these evolving techniques and warned that the increasing sophistication of ransomware gangs poses new challenges for companies worldwide.

With ransomware groups now focusing on weaponizing the data they steal, organizations must strengthen their cybersecurity defenses.

Sophos recommends robust encryption and timely patching of software vulnerabilities as essential measures to protect against these increasingly aggressive tactics.