With victims refusing to pay, cybercriminal gangs are now releasing
stolen photos of cancer patients and sensitive student records.
20 MARCH 2023 – – Last month, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, part of a huge medical network in the U.S. called the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack “involved” a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, “but LVHN refused to pay this criminal enterprise.”
After a couple of weeks, BlackCat threatened to publish data stolen from the system. “Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business,” BlackCat wrote on their dark-web extortion site. “Your time is running out. We are ready to unleash our full power on you!” The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information.
The medical photos are graphic and intimate, depicting patients’ naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers’ desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay. In a web cast last week, Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware, said:
“As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques. I think we’ll see more of that. It follows closely patterns in kidnapping cases, where when victims’ families refused to pay, the kidnappers might send an ear or other body part of the victim”.
Researchers say that another example of these brutal escalations came just last week when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools (also in the U.S.) in an attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.
“Please note, MPS has not paid a ransom,” the Minnesota school district said in a statement at the beginning of March. The school district enrolls more than 36,000 students, but the data apparently contains records related to students, staff, and parents dating back to 1995.
NOTE TO OUR READERS: Medusa has been hitting all types of entities and institutions in the U.S. again and again and again. Last week, Medusa posted a 50-minute-long video in which attackers appeared to scroll through and review all the data they stole from the Minnesota school, an unusual technique for advertising exactly what information they currently hold. Medusa offers three buttons on its dark-web site, one for anyone to pay $1 million to buy the stolen MPS data, one for the school district itself to pay the ransom and have the stolen data deleted, and one to pay $50,000 to extend the ransom deadline by one day.
And, like most enterprise-targeting ransomware operations, Medusa has a data leak site named “Medusa Blog”. This site is used as part of the gang’s double-extortion strategy, where they leak data for victims who refuse to pay a ransom. NOTE: NEVER EVER ACCESS THESE SITES FROM YOUR REGULAR COMPUTER TO SEE WHAT THIS IS ALL ABOUT! We use a series of air gapped units using TOR and alternatives for browsing anonymously.
Brett Callow, a threat analyst at the antivirus company Emsisoft, also weighed in:
“What’s notable here, I think, is that in the past the gangs have always had to strike a balance between pressuring their victims into paying and not doing such heinous, terrible, evil things that victims don’t want to deal with them. But because targets are not paying as often, the gangs are now pushing harder. It’s bad PR to have a ransomware attack, but not as terrible as it once was – and it’s really bad PR to be seen paying an organization that does terrible, heinous things.”
The public pressure is certainly mounting. In response to the leaked patient photos this week, for example, LVHN said in a statement, “This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior.”
The FBI Internet Crime Complaint Center (IC3) said in its annual Internet Crime Report last week that it received 2,385 reports about ransomware attacks in 2022, totaling $34.3 million in losses. The numbers were down from 3,729 ransomware complaints and $49 million in total losses in 2021. But, the report noted, it has been challenging for the FBI to ascertain the true number of ransomware victims because “we know that many infections go unreported to law enforcement”. Several of the cybersecurity vendors we work with tell us the number is at least triple the FBI figure.
But the report specifically calls out evolving and more aggressive extortion behavior. “In 2022, the IC3 has seen an increase in an additional extortion tactic used to facilitate ransomware,” the FBI wrote. “The threat actors pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom.”
Some cyber analysts say that (in some ways) the change is a positive sign that efforts to combat ransomware are working. If enough organizations have the resources and tools to resist paying ransoms, attackers eventually may not be able to generate the revenue they want and, ideally, would abandon ransomware entirely. But most analysts say that makes this shift toward more aggressive tactics a precarious moment. Emsisoft’s Callow said:
“We really haven’t seen things like this before. Groups have done unpleasant things, but it was adults that were targeted, it wasn’t sick cancer patients or school kids. I hope that these tactics will bite them in the butt and that companies will say no, we cannot be seen funding an organization that does these heinous things. That’s my hope anyway. Whether they will react that way remains to be seen.”