Raiders in February The Russia-based BlackCat ransomware group attacked a physician’s practice in Lackawana County, Pennsylvania, which is part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said the attack “involved” a patient photo system related to radiation oncology treatments. The healthcare organization said BlackCat had issued a ransom demand, “but LVHN has refused to pay the criminal enterprise.”
A few weeks later, BlackCat threatened to release the data stolen from the system. “Our blog is followed by many world media outlets and this case will be widely publicized and will cause significant damage to your business,” BlackCat wrote on its darknet extortion site. “Your time is running out. We are ready to unleash our full power on you!” The attackers then posted three screenshots of cancer patients undergoing radiation therapy and seven documents containing patient information.
Vivid and intimate, these medical photographs depict patients’ bare breasts in a variety of angles and positions. While hospitals and healthcare facilities have long been favorite targets of ransomware gangs, the researchers say the situation at LVHN may indicate a shift in attackers’ desperation and willingness, as ransomware targets increasingly refuse to pay.
“As fewer victims pay the ransom, ransomware actors are becoming more aggressive in their extortion techniques,” said Allan Liska, an analyst at Recorded Future, a security firm that specializes in ransomware. . “I think we’ll see more. It’s very similar to the pattern in kidnapping cases, where the kidnapper might give away the victim’s ear or other body parts when the victim’s family refuses to pay.”
Another example of these brutal escalations occurred on Tuesday, when emerging ransomware gang Medusa released data samples stolen from Minneapolis public schools in an attack in February and demanded a $100 payment, the researchers said. million dollars in ransom. The leaked screenshots include scans of handwritten notes describing the allegations of sexual assault, as well as the names of a male student and two female students involved in the incident.
“Please note that MPS did not pay the ransom,” the Minnesota school district said in a statement in early March. The district enrolls more than 36,000 students, but the data apparently includes records dating back to 1995 related to students, staff and parents. This week, Medusa released a 50-minute long video in which the attackers appear to scroll through and view all the data they stole from the school, an unusual technique that advertises exactly what information they currently hold . Medusa offers three buttons on its dark web site, one for anyone to pay $1 million for stolen MPS data, one for the school district to pay the ransom itself and delete the stolen data, and one for $50,000 to extend the ransom The deadline is one day.
“What’s notable here, I think, is that in the past, gangs always had to strike a balance between forcing their victims to pay and not doing the heinous, horrible, evil things that the victims didn’t want to deal with them,” Antiviral said Brett Callow, a threat analyst at the firm Emsisoft. “But the gangs are trying harder now because the targets don’t pay as much. It’s bad PR to have a ransomware attack happen, but it’s not as scary as it used to be — and seeing payments to an organization that does horrible, heinous things is a big deal.” Really bad PR.”
