In February, attackers from the Russia-based BlackCat ransomware group hit a practice in Lackawanna County, Pennsylvania, owned by Lehigh Valley Health Network (LVHN). At the time, LVHN said the attack “involved” a patient imaging system related to oncology radiation therapy. The healthcare group said BlackCat had demanded a ransom, “but LVHN refused to pay this criminal enterprise.”
After a few weeks, BlackCat threatened to release data stolen from the system. “Our blog is being followed by many global media outlets, the case will be widely publicized and cause significant damage to your business,” BlackCat wrote on their dark-web extortion site. “Your time is running out. We are ready to unleash our full power upon you!” The attackers then published three screenshots of cancer patients receiving radiation treatment and seven documents containing information about the patients.
The medical photographs are graphic and intimate and depict the bare breasts of patients in various angles and positions. And while hospitals and healthcare facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a change in attackers’ desperation and willingness to go to ruthless lengths as ransomware targets increasingly decline. more to pay.
“As fewer victims pay the ransom, ransomware actors are becoming more aggressive in their extortion techniques,” says Allan Liska, an analyst at security firm Recorded Future who specializes in ransomware. “I think we’ll see more of that. It follows a narrow pattern in kidnapping cases, where when victims’ families refuse to pay, the kidnappers may send an ear or other body part of the victim.”
Researchers say another example of these violent escalations came Tuesday when the emerging Medusa ransomware gang released samples of data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes outlining allegations of sexual assault and the names of a male and two female students involved in the incident.
“Please note, MPS has not paid a ransom,” the Minnesota school district said in a statement in early March. The school district enrolls more than 36,000 students, but the data apparently contains records related to students, staff and parents dating back to 1995. Last week, Medusa released a 50-minute video in which the attackers appeared to browse and review all the data they stole from the school, an unusual technique for advertising the information they currently possess. Medusa offers three buttons on its dark web site, one for anyone to pay $1 million to buy the stolen MPS data, one for the school district itself to pay the ransom and delete the stolen data, and one to pay 50,000 dollars to extend the ransom deadline by one day.
“What’s remarkable here, I think, is that in the past gangs have always had to strike a balance between forcing their victims to pay and not doing such heinous, terrible, bad things that the victims don’t want to deal with.” . says Brett Callow, threat analyst at anti-virus company Emsisoft. “But because the targets don’t pay as often, the gangs are now pushing harder. It’s bad PR to get a ransomware attack, but not as bad as it once was—and it’s really bad PR to be seen paying an organization that does terrible, heinous things.”
Public pressure is certainly increasing. In response to the leaked patient photos this week, for example, LVHN said in a statement: “This unconscionable criminal act exploits patients receiving cancer treatment and LVHN condemns this abhorrent behavior.”
The FBI Internet Crime Complaint Center (IC3) said in its annual Internet Crime Report this week that it received 2,385 reports of ransomware attacks in 2022, totaling $34.3 million in losses. The numbers are down from 3,729 ransomware complaints and $49 million in total losses in 2021. “It has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” the report notes.
But the report specifically points to evolving and more aggressive extortion behavior. “In 2022, IC3 saw an increase in an additional extortion tactic used to facilitate ransomware,” the FBI wrote. “Threat actors pressure victims to pay by threatening to publish the stolen data if they don’t pay the ransom.”
In some ways, the change is a positive sign that efforts to combat ransomware are paying off. If enough organizations have the resources and tools to resist paying ransoms, attackers may eventually be unable to generate the revenue they want and, ideally, would abandon ransomware altogether. But that makes this shift to more aggressive tactics a precarious time.
“We really haven’t seen anything like this before. The groups did nasty things, but it was adults who were targeted, not sick cancer patients or school children,” says Emsisoft’s Callow. “I hope that these tactics will bite them in the butt and that companies will say no, we can’t be seen funding an organization that does these heinous things. That’s my hope anyway. Whether they will react in this way remains to be seen.”
This story originally appeared on wired.com.