In February, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, that’s part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack “involved” a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, “but LVHN refused to pay this criminal enterprise.”
After a couple of weeks, BlackCat threatened to publish data stolen from the system. “Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business,” BlackCat wrote on their dark-web extortion site. “Your time is running out. We are ready to unleash our full power on you!” The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information.
The medical photos are graphic and intimate, depicting patients’ naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers’ desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay.
“As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “I think we’ll see more of that. It follows closely patterns in kidnapping cases, where when victims’ families refused to pay, the kidnappers might send an ear or other body part of the victim.”
Researchers say that another example of these brutal escalations came on Tuesday when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.
“Please note, MPS has not paid a ransom,” the Minnesota school district said in a statement at the beginning of March. The school district enrolls more than 36,000 students, but the data apparently contains records related to students, staff, and parents dating back to 1995. Last week, Medusa posted a 50-minute-long video in which attackers appeared to scroll through and review all the data they stole from the school, an unusual technique for advertising exactly what information they currently hold. Medusa offers three buttons on its dark-web site, one for anyone to pay $1 million to buy the stolen MPS data, one for the school district itself to pay the ransom and have the stolen data deleted, and one to pay $50,000 to extend the ransom deadline by one day.
“What’s notable here, I think, is that in the past the gangs have always had to strike a balance between pressuring their victims into paying and not doing such heinous, terrible, evil things that victims don’t want to deal with them,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But because targets are not paying as often, the gangs are now pushing harder. It’s bad PR to have a ransomware attack, but not as terrible as it once was—and it’s really bad PR to be seen paying an organization that does terrible, heinous things.”
The public pressure is certainly mounting. In response to the leaked patient photos this week, for example, LVHN said in a statement, “This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior.”
The FBI Internet Crime Complaint Center (IC3) said in its annual Internet Crime Report this week that it received 2,385 reports about ransomware attacks in 2022, totaling $34.3 million in losses. The numbers were down from 3,729 ransomware complaints and $49 million in total losses in 2021. “It has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” the report notes.
But the report specifically calls out evolving and more aggressive extortion behavior. “In 2022, the IC3 has seen an increase in an additional extortion tactic used to facilitate ransomware,” the FBI wrote. “The threat actors pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom.”
In some ways, the change is a positive sign that efforts to combat ransomware are working. If enough organizations have the resources and tools to resist paying ransoms, attackers eventually may not be able to generate the revenue they want and, ideally, would abandon ransomware entirely. But that makes this shift toward more aggressive tactics a precarious moment.
“We really haven’t seen things like this before. Groups have done unpleasant things, but it was adults that were targeted, it wasn’t sick cancer patients or school kids,” Emsisoft’s Callow says. “I hope that these tactics will bite them in the butt and that companies will say no, we cannot be seen funding an organization that does these heinous things. That’s my hope anyway. Whether they will react that way remains to be seen.”
This story originally appeared on wired.com.