Double Extortion: Ransomware Operators Threaten Patients with Swatting


January 9, 2024

World map

Ransomware operators and data extortionists are threatening patients whose data has been exposed in an attack with swatting. Swatting is a harassment tactic that involves calling in bomb threats or other false threats to law enforcement to prompt an armed response to the victim's home.  

“The idea being, it seems, that those patients and the media coverage from any swatting will put pressure on the US hospital to pay up and end the extortion. Other crews do similar when attacking IT service provider: they don't just extort the suppliers, they also threaten or further extort customers of those providers,” The Register reports.

"Fred Hutchinson Cancer Center was aware of cyber criminals issuing swatting threats and immediately notified the FBI and Seattle police, who notified the local police, The FBI, as part of its investigation into the cybersecurity incident, also investigated these threats."

Takeaway: Today's more complex ransomware and data extortion operations are multi-staged attacks where the threat actors are looking to infiltrate as much of the targeted network as possible while exfiltrating sensitive data along the way to be used as leverage.  

Double extortion is a very common strategy used by most ransomware gangs today to compel victims to pay a ransom demand. They use the tactic to put more pressure on the victim to pay the ransom demand. In some cases, the attackers will demand an additional payment for the stolen data in addition to the initial ransom.

Early variations included data exfiltration with the threat to expose or sell the information, threats to notify the victim’s customers data has been breached, denial of service (DoS) attack threats, threats to inform a victim organization’s customers of the breach, and more.

As the tactic was deemed effective, ransomware operators ramped up the threats to include submitting a U.S. Securities and Exchange Commission (SEC) complaint, the exposure of clinical photographs of breast cancer patients, and even threats to leak very intimate details of abuse and mental health status of vulnerable students.

Data extortion and ransomware groups continue to demonstrate time and time again that there is no line they will not cross to enrich themselves. Organizations are at risk of double extortion if they cannot detect the earliest stages of ingress, lateral movement on the network, credential theft, privilege escalation and data exfiltration.

Exfiltrated data gives the threat actors the most leverage of double extortion techniques. Preventing sensitive data from being exfiltrated is critical, as the repercussions from the data loss can inflict even more damage on the organization's brand, ability to compete in the market, as well as spur legal and regulatory actions.  

Unfortunately, most organizations are unaware they are the victim of a ransomware attack until the encryption payload and ransom note are delivered, which are the tail-end of the larger ransomware operation.

Assuring the organization's data is backed up offsite and segmented from the main network can allow victims to restore systems, but this entails an arduous process of wiping and restoring every single impacted device.  

The best defense strategy will always be having an early detection capability to thwart attacks, as well as a comprehensive mitigation and recovery plan should the organization suffer a successful attack.  

Unfortunately, EPP/EDR/XDR do not do a good at catching ransomware attacks in progress, which is why we are seeing so many victims daily.  

It is highly recommended that organizations run a dedicated anti-ransomware solution alongside those endpoint security tools to ensure they have the best chance at disrupting an attack before data can be exfiltrated or systems encrypted. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.