How Ransomware Groups Weaponize Stolen Data
4 mins read

How Ransomware Groups Weaponize Stolen Data

Fraud and Cybercrime Management, Ransomware

Attackers increase pressure on targets that refuse to pay

Christopher Buddha •
September 2, 2024

How Ransomware Groups Weaponize Stolen Data

In the wake of the MGM Casino hack in December 2023, Sophos X-Ops began analyzing the propensity of ransomware gangs to leverage media as a tool they can use not only to pressure their victims, but also to hijack the narrative and shift blame.

See also: How to Unlock the Potential of Zero Trust Network Access Through a Lifecycle Approach


Ransomware gangs are becoming increasingly invasive and bold in what and how they use them. As they increase pressure on companies, they are not only stealing data and threatening to leak it—they are actively analyzing it for ways to maximize damage and create new extortion opportunities. This means organizations need to worry not only about corporate espionage and the loss of trade secrets or illegal employee activity, but also about these issues in conjunction with cyberattacks.


Gangs have singled out business leaders they consider “responsible” for the ransomware attack on the companies they attacked. In one post we found, the attackers posted a photo of a business owner wearing devil horns, along with his Social Security number. In another post, the attackers encouraged employees to seek “compensation” from their company, and in other cases, the attackers threatened to notify customers, partners, and competitors about the data breach. These actions create a lightning rod for blame, increasing pressure on companies to pay up and potentially worsening the reputational damage caused by the attack.


Sophos also found multiple posts by ransomware attackers detailing their plans to mine stolen data for information that could be used as leverage if companies don’t pay up. In one post, the WereWolves ransomware actor claimed that any stolen data is subject to “criminal law assessment, commercial assessment, and competitor confidentiality assessment.” The Monti ransomware group claimed to have found an employee at a targeted company who was looking for child sexual abuse material and threatened to turn the information over to authorities if the company didn’t pay up.


The posts are part of a broader trend of criminals trying to extort money from companies that have sensitive employee, customer or patient information, including mental health records, children’s medical records, “patient sexual issues” and “images of nude patients.” In one case, the Qiulong ransomware group posted the personal information of the CEO’s daughter, as well as a link to her Instagram profile.


Ransomware attackers are no longer simply hacking networks and systems – they are trying to “hack” the public narrative. We saw this with MGM hack and MOVEit attacks through Cl0P, when the group tried to “set the record straight” regarding alleged inaccuracies in media coverage of the attacks. For these threat groups, there are several benefits to engaging with the press. It gives them an ego boost, enhances their notoriety, and makes them a more desirable “employer” for criminals. It has also proven to be an effective method of putting pressure on victims.

It’s likely that we’ll see ransomware groups engage more directly with the press in the future. In our research, we’ve seen groups like Cl0P and Royal use press releases to “rebrand” their operations as “security services.” We’re not sure why; it could be a recruitment tactic or an attempt to improve their public image. Regardless, it shows a concerted effort by these threat groups to shape public perception. It’s important for defenders not to succumb to the attackers’ thirst for attention. We need to focus on attack tactics, techniques, and procedures to provide a better defense, not to figure out who was behind the attack.


Read the full report, “Turning the Screw: Ransomware Gangs’ Pressure Tactics,” on Sophos.com.