Jun 26, 2024

Hackers Grow More Sinister and Brazen in Hunt for Bigger Ransoms

Jeff Stone and Charles Gorrivan, Bloomberg News

<p>Customers view used Ford vehicles at a dealership in Colma, California, US, on Friday, June 21, 2024. CDK Global, a software provider to some 15,000 car dealers, has suffered cyberattacks that have knocked out service at many dealerships.</p>

Customers view used Ford vehicles at a dealership in Colma, California, US, on Friday, June 21, 2024. CDK Global, a software provider to some 15,000 car dealers, has suffered cyberattacks that have knocked out service at many dealerships.

, Bloomberg

(Bloomberg) -- A hack on a London hospital has left hundreds of millions of health records exposed and forced doctors to reschedule life-altering cancer treatments. In North America, a gang tried auctioning off data about LendingTree Inc. customers after finding credentials in another breach. And in the recent compromise of car-dealership software provider CDK Global, hackers took the brazen approach of attacking not just once, but twice.

These recent high-profile incidents show how cybercrime crews are increasingly turning to more sinister techniques to try to bend major companies to their will, abetted by new technology.

“They’re becoming more aggressive in the ways they try to make money,” said Kevin Mandia, co-founder of Ballistic Ventures and the former chief executive officer of Google’s threat intelligence firm Mandiant. “It’s trying to create more pain so they get paid more, or they cause more disruption.”

The one-two punch approach used in the CDK incident indeed delivered a blow to its customers: Auto dealerships throughout the US were slowed for days. If a ransomware victim isn’t quick to pay an extortion fee, the logic goes, a second hit could be crippling enough to blackmail them into paying up.

Tactics like leaking sensitive records and double-hacks aren’t completely new, but have become more common and represent an evolution from traditional ransomware attacks, when scammers simply would encrypt data, demand a payment and then move to the next victim.

These days, when hackers ask for money, they’re sometimes refusing to negotiate ransom demands, according to one expert not authorized to speak about the matter, and they are insisting on extraordinary sums. The Russian-speaking hackers in the London hospital attack demanded $50 million. UnitedHealth Group Inc. made a $22 million payment to a cybercrime group after a February hack on the insurance giant’s subsidiary Change Healthcare.

Those kinds of demands point to hackers putting significantly more pressure on victims. The average ransom payment was $381,980 in the first quarter of this year, according to the incident response firm Coveware.

Another reason hackers are growing more demanding: They're getting smarter about picking their targets, homing in more often on victims whose systems are critical to entire supply chains. The so-called ransomware-as-a-service model has made this strategy easier. A core hacking group will develop and lend its malware to other scammers, known as affiliates, in exchange for a cut of their ransom proceeds.

This is a favorite technique of the group known as BlackCat, according to the blockchain analysis firm Chainalysis Inc. That’s one reason known ransomware payments exceeded $1 billion in 2023, a new record, Chainalysis determined.

Harassing Researchers

Hackers have also started to harass the researchers who investigate them.

One especially ruthless group is generating fake nude photos of them with artificial intelligence, said Austin Larsen, a senior threat analyst at Mandiant, a unit of Google Cloud. Similar groups have been alerting police to false emergencies at researchers’ addresses and publishing private information about them online, he added.

Recently, Larsen said his colleagues have taken what was for them an unprecedented step of removing their names from research reports they have written about some of the nastiest gangs.

Some extortionists make phone calls to executives who work at victimized organizations to try coaxing them into paying a fee. In other cases, attackers have called executives by spoofing the numbers of their children, said Charles Carmakal, chief technology officer at Google’s Mandiant.

“As these tactics get bigger and more aggressive, they’re going to be more disruptive to people’s ordinary lives,” said Allan Liska, an analyst at Recorded Future Inc., who compared the extortion methods to real-world violence like the kind in mafia movies.

“If you send somebody a finger, they’re more likely to pay a ransom,” he said. “This is the equivalent of that.”

Health-Sector Attacks

The attacks in the health sector show that some of hackers’ increased brazenness is apparent in the types of targets they’ve put in their sights.

Hospitals in London for weeks have struggled to overcome a hack that forced doctors to turn away patients. Seeking to further maximize their leverage, the gang behind the breach threatened to publish data stolen in the incident, ultimately making good on that promise.

In the Change Healthcare hack, thieves from the BlackCat cybercrime group caused outages and delayed payments at pharmacies and health-care organizations for weeks. Even after UnitedHealth made a payment to BlackCat, it had little visibility into whether patient data was safe.

A 2022 attack on Medibank, one of the largest health insurers in Australia, represented a transformative moment in digital crime tactics, said Carmakal of Mandiant. In that case, scammers demanded roughly $15 million in exchange for not going public with patients’ most sensitive health records. When Medibank declined to pay, extortionists leaked information about Australians who had undergone abortion procedures, and hackers called patients in hospitals in a coordinated harassment campaign.

Cybercrime campaigns have continued despite more action from international law enforcement. The problem is that hackers often work from countries that protect them from extradition to the West, Liska said. “They don’t fear retaliation,” he said.

US President Joe Biden has vowed to take on ransomware, and the Department of Justice has created its own ransomware task force to tackle such aggressive attackers. That effort has led to more arrests, Liska said, but not enough to keep pace with the proliferation of new groups.

That’s in part because it has become easier to conduct such campaigns. Hackers can find pre-made ransomware kits on the internet, paying as little as $10,000 to attack US companies, according to Liska.

“Go mow the lawn for the summer and you'll make enough money to start your first attack,” Liska said.