Ransomware groups take extortion tactics to new heights in attacks against hospitals, schools
March 14, 2023 – Published on SC Magazine
Ransomware gangs have never been shy about leaking victim data, but experts say a recent wave of extortions targeting especially vulnerable populations in the healthcare and education sectors marks a new low.
On March 4, Russia-based ransomware group BlackCat/ALPHV began releasing photos of topless female breast cancer patients at the Lehigh Valley Health Network after the health network refused to pay a $1.5 million ransom following a ransomware attack in February. Three days later, the Medusa ransomware actors threatened the Minneapolis Public Schools district that it will publish sensitive student information, including records of student sexual assault allegations if the district fails to pay a $1 million ransom.
There is some evidence showing that when a ransomware affiliate hits a particularly sensitive target, or draw too much media attention, the group’s core operators will overrule them or reverse course. In January when SickKids Hospital in Toronto, Canada was hit with LockBit ransomware and suffered significant disruption to their operations, the group’s leadership issued a formal apology and offered the hospital a free decryptor, blaming the incident on a “partner” who was no longer part of their hacking network.
Still, some believe there is also promotional value in sticking out with more outrageous tactics. Nic Finn, threat intelligence consultant and ransomware negotiator at GuidePoint Security, said he suspects ransomware groups like BlackCat and Medusa target hospitals and schools with these provocative tactics because they believe targeting well-known public sectors can help them make a name for themselves.
“When the Vice Society gang leaked stolen school data earlier this year, it made its name all over the mainstream media. So, it seems that, at least in the recent case of BlackCat and Medusa, these groups are inspired by Vice Society and believe releasing extremely sensitive data is a way to show their strength and power,” said Finn. “This aligns with our experience negotiation with BlackCat – they sometimes will send links of them being featured in the news to scare victims and pressure them to pay the ransom.”
Read More HERE.