Sophos Rapid Response details top 10 ways ransomware attackers ramp up pressure to pay

Sophos, a global leader in next-generation cyber security, has published an article: “The Top 10 Ways Ransomware Operators Ramp Up the Pressure to Pay,” detailing how ransomware attackers are implementing a wide range of ruthless pressure tactics to persuade victims to pay the ransom. The article is based on evidence and insight from Sophos’ Rapid Response team of 24/7 incident responders who help organisations under active cyber attack. It highlights the shift in ransomware pressure techniques from solely encrypting data to including other pain points, such as harassing employees.

“Since organisations have become better at backing up their data and restoring encrypted files from backups, attackers are supplementing their ransom demands with additional extortion measures that increase the pressure to pay,” said Peter Mackenzie, director, Incident Response at Sophos. “For example, the Sophos Rapid Response team has seen cases where attackers e-mail or phone a victim’s employees, calling them by their name and sharing personal details they’ve stolen – such as any disciplinary actions or passport information – with the aim of scaring them into demanding their employer pays the ransom. This kind of behaviour shows how ransomware has shifted from a purely technical attack targeting systems and data into one that also targets people.”

The article includes a recorded voicemail that a SunCrypt ransomware affiliate left for an employee of a targeted organisation (published with the permission of the affected organisation).

How attackers ramp up the pressure to pay

Below are the top 10 ways attackers are increasing pressure on their ransomware victims to get them to pay the ransom:

1. Stealing data and threatening to publish or auction it online.
2. E-mailing and calling employees, including senior executives, threatening to reveal their personal information.
3. Notifying or threatening to notify business partners, customers, the media and more of the data breach and exfiltration.
4. Silencing victims by warning them not to contact the authorities.
5. Recruiting insiders to help them breach networks.
6. Resetting passwords.
7. Phishing attacks targeting victim e-mail accounts.
8. Deleting online backups and shadow volume copies.
9. Printing physical copies of the ransom note on all connected devices, including point of sale terminals.
10. Launching distributed denial-of-service attacks against the target’s website.

The article explains each tactic in more detail, with examples of ransomware groups that have deployed that tactic. The article also includes advice on what defenders can do to protect their organisation and employees from attacker behaviours and cyber threats in general.

Further information on attacker behaviours, real-world incident reports and advice for security operations professionals is available on Sophos News SecOps.

Tactics, techniques and procedures (TTPs), and more, for different types of ransomware are available on SophosLab Uncut, the home of Sophos’ latest threat intelligence.

Additional resources

• The four top tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team.
• Read the latest security news and views on Sophos’ award-winning news website Naked Security and on Sophos News.

About Sophos

Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 500 000 organisations and millions of consumers in more than 150 countries from today’s most advanced cyber threats. Powered by threat intelligence, AI and machine learning from SophosLabs and SophosAI, Sophos delivers a broad portfolio of advanced products and services to secure users, networks and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyber attacks. Sophos provides a single integrated cloud-based management console, Sophos Central – the centrepiece of an adaptive cyber security ecosystem that features a centralised data lake that leverages a rich set of open APIs available to customers, partners, developers and other cyber security vendors. Sophos sells its products and services through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, UK. More information is available at www.sophos.com.