In February, attackers from the Russian ransomware group BlackCat attacked a doctor’s office in Lackawanna County, Pennsylvania, which is part of the Lehigh Valley Health Network (LVHN). At the time, the LVHN said the attack “involved” the patient’s photosystem associated with radiation oncology treatment. The health group said that BlackCat demanded a ransom, “but LVHN refused to pay for this criminal enterprise.”
A few weeks later, BlackCat threatened to reveal the stolen system data. “Our blog is being followed by many of the world’s media, the case will receive wide publicity and cause significant damage to your business,” BlackCat wrote on its dark web extortion site. “Your time is running out. We are ready to unleash all our power on you! The attackers then released three screenshots of cancer patients receiving radiation therapy and seven documents with patient information.
Medical photographs are graphic and intimate, depicting the naked breasts of patients from different angles and positions. And while hospitals and healthcare facilities have long been a favorite target of ransomware groups, the researchers say the situation at LVHN may signal a change in attackers’ desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay.
“As fewer and fewer victims pay ransomware, ransomware attackers are becoming more aggressive in their ransomware methods,” says Allan Liska, analyst at ransomware defense firm Recorded Future. “I think we will see it again. This is very similar to the models of kidnapping cases, where when the families of the victims refuse to pay, the kidnappers can send the victim’s ear or other body part.
The researchers say another example of this drastic escalation came Tuesday, when a new Medusa ransomware gang released examples of data stolen from Minneapolis public schools in the February attack, along with a “one million dollar” ransom demand. The leaked screenshots include scanned handwritten notes outlining the sexual assault allegations and the names of the student and two female students involved in the incident.
“Please note that MPS did not pay the ransom,” the Minnesota School District said in a statement in early March. The school district has over 36,000 students, but the data appears to contain records pertaining to students, staff, and parents dating back to 1995. Last week, Meduza published a 50-minute video of the attackers going through and reviewing all the data. they stole from the school, an unusual technique to announce exactly what information they currently hold. Medusa offers three buttons on its dark website: one for anyone who pays $1 million to buy the stolen MPS data, one for the school district itself to pay the ransom and delete the stolen data, and one to pay $50,000. to extend the ransom. term for one day.
“What is remarkable here, I think, is that in the past gangs have always had to find a balance between pressuring their victims to pay and not doing such disgusting, horrible and evil things because the victims don’t want to do anything. with them,” says Brett Callow, threat analyst at antivirus company Emsisoft. “But because the victims don’t pay as often, the gangs are pushing harder now. A ransomware attack is a misunderstanding, but not as terrible as it used to be – and it is indeed a misunderstanding when an organization is paid to do terrible and hateful things.
Public pressure is definitely mounting. For example, in response to patient photos leaked this week, the LVHN said in a statement: “This shameless criminal act benefits patients receiving cancer treatment and the LVHN condemns this heinous behavior.
The FBI Internet Crime Complaint Center (IC3) said this week in its annual Internet Crime Report that it received 2,385 ransomware attack reports in 2022, totaling $34.3 million in losses. Those numbers are down from 3,729 ransomware complaints and $49 million in total losses in 2021. “It was difficult for the FBI to determine the true number of ransomware victims because many infections are not reported to law enforcement,” the report notes.
But the report specifically points to evolving and more aggressive extortion. “In 2022, IC3 recorded an increase in additional ransomware tactics used to spread ransomware,” the FBI wrote. “Threat actors force victims to pay by threatening to reveal stolen data unless they pay a ransom.”
In some ways, this change is a positive sign that anti-ransomware efforts are working. If enough organizations have the resources and tools to counter ransom payments, attackers may not get the revenue they want and, ideally, avoid ransomware altogether. But that makes this shift to more aggressive tactics a dangerous moment.
“We have really never seen anything like this before. The groups did nasty things, but the targets were adults, not cancer patients or schoolchildren,” says Emsisoft’s Callow. “I hope this tactic bites their ass and the corporations say no, we can’t be seen funding an organization that does these heinous things. Anyway, this is my hope. Whether they will react in this way remains to be seen.
This story originally appeared on wired.com.