Ransomware groups take extortion tactics to new heights in attacks against hospitals, schools

Ransomware gangs have never been shy about leaking victim data, but experts say a recent wave of extortions targeting especially vulnerable populations in the healthcare and education sectors marks a new low.

On March 4, Russia-based ransomware group BlackCat/ALPHV began releasing photos of topless female breast cancer patients at the Lehigh Valley Health Network after the health network refused to pay a $1.5 million ransom following a ransomware attack in February. Three days later, the Medusa ransomware actors threatened the Minneapolis Public Schools district that it will publish sensitive student information, including records of student sexual assault allegations if the district fails to pay a $1 million ransom.

While the education and healthcare sectors have been regular targets of ransomware attacks, experts say these incidents reflect increasingly aggressive in extortion tactics as well as a more heightened — and crueler — focus on exploiting weak or vulnerable groups as a means of upping the pressure on organizations. Some security experts have speculated these tactics could be linked to organizations becoming less willing to pay.

"We will continue to see more of these aggressive extortion tactics from ransomware gangs as victims refuse to pay. The next evolution can only be more dangerous," said Allan Liska, a ransomware expert at Recorded Future.

As federal agencies putting in new regulations, law enforcement and intelligence agencies taking more proactive steps to disrupt cybercriminal groups and victims perhaps becoming more reluctant to pay, it “has become much harder for ransomware attackers to make money,” said Bryan Cunningham, an attorney and executive director at UC Irvine’s Cybersecurity Policy and Research Institute and Advisor for Theon Technology.

"What we are seeing now [from these aggressive attacks] is hackers' frustration not being able to monetize their original business plan," said Cunningham, also a former White House legal advisor during the Bush administration.   

According to reporting earlier this year from Chainalysis, a company that uses the blockchain to trace cryptocurrency payments to ransomware groups, total funds sent to known ransomware addresses globally fell from $765.5 million in 2021 to $456.8 million in 2022, with evidence suggesting that the huge drop likely represents increased reporting from victims as well as unwillingness on the part of some to pay ransom demands, rather than a decline in the actual number of attacks.

"Since 2019, victim payment rates have fallen from 76% to just 41%," the report noted. "One big factor is that paying ransoms has become legally riskier, especially following an OFAC advisory in September 2021 on the potential for sanctions violations when paying ransoms."

Mistakes and bad PR

While organized ransomware groups like LockBit claim that they have a code of conduct that prohibits them from targeting vulnerable populations or disrupting the operation of hospitals, their affiliates don’t always stick to those rules, added Jon DMaggio, chief security strategist at Analyst1.

It may also not always be clear when a group has infected a school or hospital. Ransomware actors often target specific technologies and vulnerabilities rather than individual sectors and industries. But the granular focus on exploiting cancer patients and investigations around sexual misconduct at school represents a conscious decision to exploit and leverage the pain of those most defenseless.   

There is some evidence showing that when a ransomware affiliate hits a particularly sensitive target, or draw too much media attention, the group’s core operators will overrule them or reverse course. In January when SickKids Hospital in Toronto, Canada was hit with LockBit ransomware and suffered significant disruption to their operations, the group’s leadership issued a formal apology and offered the hospital a free decryptor, blaming the incident on a “partner” who was no longer part of their hacking network.

DiMaggio, who previously worked in U.S. intelligence and has years of experience interacting with ransomware groups, said it’s not naïve to try to play on a group’s basic human decency when they go after a sympathetic target, even if their response is ultimately guided more by public relations than a sense of morality.

"Introducing ethical concerns into the discussion with threat actors during ransomware negotiation can be a smart strategy, especially when dealing with attacks against vulnerable populations. By acknowledging the humanity of those threat actors and appealing to their sense of right and wrong, it may be possible to steer them towards more ethical behavior," said DMaggio.

These groups often pay keen attention to how they are depicted in the media. While all rely on horrific extortion tactics, the tallest nail often gets hammered first and ransomware groups who stick out or become involved in high-profile attacks tend to get more attention from the FBI, intelligence agencies and other government agencies.

Still, some believe there is also promotional value in sticking out with more outrageous tactics. Nic Finn, threat intelligence consultant and ransomware negotiator at GuidePoint Security, said he suspects ransomware groups like BlackCat and Medusa target hospitals and schools with these provocative tactics because they believe targeting well-known public sectors can help them make a name for themselves.

"When the Vice Society gang leaked stolen school data earlier this year, it made its name all over the mainstream media. So, it seems that, at least in the recent case of BlackCat and Medusa, these groups are inspired by Vice Society and believe releasing extremely sensitive data is a way to show their strength and power," said Finn. "This aligns with our experience negotiation with BlackCat - they sometimes will send links of them being featured in the news to scare victims and pressure them to pay the ransom."