Ransomware Attacks Have Entered a ‘Heinous’ New Phase

In February, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, that’s part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack “involved” a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, “but LVHN refused to pay this criminal enterprise.” 

After a couple of weeks, BlackCat threatened to publish data stolen from the system. “Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business,” BlackCat wrote on their dark-web extortion site. “Your time is running out. We are ready to unleash our full power on you!” The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information.

The medical photos are graphic and intimate, depicting patients’ naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers’ desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay.

 “As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “I think we’ll see more of that. It follows closely patterns in kidnapping cases, where when victims’ families refused to pay, the kidnappers might send an ear or other body part of the victim.”

Researchers say that another example of these brutal escalations came on Tuesday when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.

“Please note, MPS has not paid a ransom,” the Minnesota school district said in a statement at the beginning of March. The school district enrolls more than 36,000 students, but the data apparently contains records related to students, staff, and parents dating back to 1995. Last week, Medusa posted a 50-minute-long video in which attackers appeared to scroll through and review all the data they stole from the school, an unusual technique for advertising exactly what information they currently hold. Medusa offers three buttons on its dark-web site, one for anyone to pay $1 million to buy the stolen MPS data, one for the school district itself to pay the ransom and have the stolen data deleted, and one to pay $50,000 to extend the ransom deadline by one day.

“What’s notable here, I think, is that in the past the gangs have always had to strike a balance between pressuring their victims into paying and not doing such heinous, terrible, evil things that victims don’t want to deal with them,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But because targets are not paying as often, the gangs are now pushing harder. It’s bad PR to have a ransomware attack, but not as terrible as it once was—and it’s really bad PR to be seen paying an organization that does terrible, heinous things.”