Over the years, ransomware operators used one or more extortion tactics to pressure victims into making ransom payments if initial ransom demands were not met. These tactics include denying access to encrypted files, stealing data, threatening a data breach by releasing the stolen data on public ransomware leak sites, auctioning victim data to other threat actors via the dark web, conducting distributed denial-of-service (DDOS) attacks, double encryption, and data corruption. Threat actors later introduced additional tactics, such as creating a copy of the victim’s website and publishing the stolen data, and deploying dual ransomware attacks with two different variants on the same victim in close date proximity. To pressure victims to negotiate, they also added new code to known data theft tools to prevent detection, as well as malware containing wiper tools that remained dormant until a specified time and were then executed to corrupt data in alternating intervals. More personal ways to pressure organizations and people were ransomware operators reporting their own attacks to the US Securities and Exchange Commission (SEC) or sending sensitive or personal data about children stolen from school districts to their parents.

As more countries pledge not to pay the ransom, ransomware operators continue to seek out new tactics for a guaranteed payout. For example, threat actors are posing as ethical hackers or security researchers and targeting victim organizations of two ransomware groups, Royal and Akira, which use a double extortion tactic of encrypting systems after stealing data and threatening a data leak. Initial communications begin on instant messaging platforms and contain common phrases, suggesting the same threat actor is behind the extortion attempt. They claim to provide proof of access to the exfiltrated data on the ransomware group’s servers from past compromises and could delete it for a payment of up to five Bitcoins.

In a separate tactic, ransomware operators are targeting and compromising healthcare organizations and threatening patients if payment is not made, similar to attacks on IT service providers and their customers. Threat actors accessed and stole Oklahoma’s Integris Health patient data, and then patients received emails threatening to sell their information on the dark web if the ransom was not paid. Additionally, threat actors compromised Seattle’s Fred Hutchinson Cancer Center’s network, stole medical records, and pressured their patients with swatting, including calling in fake bomb threats or other fraudulent reports. Swatting is a false report of an ongoing emergency or a threat of violence intended to prompt an immediate tactical law enforcement response to a specific location. Furthermore, threat actors hope that media coverage of any swatting threats will pressure the victim organization into paying the ransom.

Swatting may be new as a ransomware extortion tactic, but swatting, in general, is a growing trend within the community, especially with the recent high-profile hoaxes targeting government buildings and politicians. There were reports of fake bomb threats of state capitols and courthouses and false reports of shootings at the homes of public officials, including a US District judge overseeing the federal election subversion case against former president Donald Trump. This trend raises public safety concerns in the future, including the upcoming elections.

Recommendation

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Remain vigilant, keep systems up to date, apply patches as they become available, enable strong endpoint security, and enforce cyber hygiene. Additionally, implement a defense-in-depth strategy, segment networks, apply the Principle of Least Privilege, enable multi-factor authentication (MFA) where available, encrypt sensitive data at rest and in transit, create and test continuity of operations plans and incident response plans, and establish a comprehensive data backup plan that includes performing scheduled backups regularly, keeping an updated copy offline in a separate and secure location, and testing regularly.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact us here at Cyber Command with any questions.