Sophos has published the new dark web report "Turning the Screws: The Pressure Tactics of Ransomware Gangs". It describes in detail how cybercriminals use stolen data as a means of increasing the pressure on unwilling targets. The means of pressure include passing on contact details, publishing information about family members of CEOs and business owners or threatening to report information about illegal business activities uncovered in stolen data to the authorities. The Sophos X-Ops report also shows that ransomware gangs call their targets "irresponsible and negligent" and urge individual victims whose personal information has been stolen to file a lawsuit against their employer.

"In December 2023, in the wake of the MGM Casino Breach, Sophos noted a tendency for ransomware groups to try to instrumentalize the media as one of their tools. In this way, the cybercriminals can not only increase the pressure on their victims, but also take control of the story and shift the blame. Security specialists have also observed that the gangs are targeting the managers of the companies they hold responsible for the ransomware attack. In one post, the attackers published a photo of a business owner with devil horns along with his social security number. In another post, the attackers urged employees to demand 'compensation' from their company, and in other cases, the attackers threatened to inform customers, partners and competitors about data breaches. This approach creates a kind of lightning rod for blame, increases the pressure on companies to pay ransoms and potentially exacerbates the reputational damage caused by an attack," says Christopher Budd, Director Threat Research at Sophos.

Sensitive employee data used for blackmail

Sophos X-Ops has also found several posts from ransomware attackers describing their plans to search for information in stolen data to use as leverage if companies don't pay up. In one post, for example, ransomware actor WereWolves points out that all stolen data will be subject to "criminal, commercial and insider information assessment for competitors". In another example, the ransomware group Monti found that an employee of a target company was looking for child sexual abuse material and threatened to go to the police with the information if the company did not pay the ransom.

These messages reflect the general trend in which criminals are increasingly trying to blackmail companies with sensitive data about employees, customers or patients - for example, psychiatric data, children's medical data, information about patients' sexual problems or pictures of naked patients. In one ransomware case, the Qiulong ransomware group posted the personal data of a CEO's daughter and a link to her Instagram profile.

"Ransomware gangs are becoming more and more invasive and brazen in how and what they use as a weapon. To increase the pressure on companies, they are not only stealing data and threatening to pass it on. They also intensively analyze the data and information to maximize the damage and create new opportunities for blackmail. This means that companies not only have to worry about corporate espionage, the loss of trade secrets or illegal activities by employees, but also about such problems in connection with cyberattacks," says Budd.