Ransomware Operators Targeting Children of Corporate Executives


May 15, 2024

World map

Ransomware operators continue to innovate on the double extortion strategy, where first they exfiltrated data to apply additional pressure for victim orgs to pay a ransom, they are now engaging in "a psychological attack against the victim organization," The Register reports.

"We saw situations where threat actors essentially SIM swap the phones of children of executives, and start making phone calls to executives, from the phone numbers of their children," said Mandiant's CTO Charles Carmakal.

"Think about the psychological dilemma that the executive goes through – seeing a phone call from the children, picking up the phone and hearing that it's somebody else's voice? Sometimes, it's caller ID spoofing. Other times, we see demonstrated SIM swapping family members."  

Takeaway: Whether it’s threats to expose clinical photographs of breast cancer patients or to leak very intimate details of abuse and mental health status of vulnerable students, data extortion and ransomware groups have shown time and time again that there is no line they will not cross to enrich themselves.

Double extortion is a very common tactic used by ransomware gangs to compel victims to pay a ransom demand.  

Early variations included data exfiltration with the threat to expose or sell the information, threats to notify the victim’s customers data has been breached, denial of service (DoS) attack threats, threats to inform cyber insurers of infection vector details in order to nullify coverage, and more.

As the tactic was deemed effective, ransomware operators ramped up the threats to include submitting a U.S. Securities and Exchange Commission (SEC) complaint, and more recently, ransomware operators were observed threatening patients whose data had been exposed with swatting, a harassment tactic that involves calling in bomb threats or other false reports to law enforcement to prompt an armed response to the victim's home.

Whatever data these groups can extract, they will weaponize in their extortion schemes, and they will continue to do so until it is no longer profitable.  

The only way this is solved is by building resilient security programs, getting organizations to invest in cybersecurity skills and technologies and collaborating on new regulations that actually have teeth in the fight against cybercrime.

Exfiltrated data gives the threat actors the most leverage of double extortion techniques. Preventing sensitive data from being exfiltrated is critical, as the repercussions from the data loss can inflict even more damage on the organization's brand, ability to compete in the market, as well as spur legal and regulatory actions.

The problem is that most organizations are unaware they are the victim of a ransomware attack until the encryption payload and ransom note are delivered, which are the tail-end of the ransomware attack.

Assuring the organization's data is backed up offsite and segmented from the main network can allow victims to restore systems, but this entails an arduous process of wiping and restoring every single impacted device.

The best defense strategy will always be having an early detection capability to thwart attacks, as well as a comprehensive mitigation and recovery plan should the organization suffer a successful attack.

Unfortunately, EPP/EDR/XDR do not do a good at catching ransomware attacks in progress, which is why we are seeing so many victims daily.

It is highly recommended that organizations run a dedicated anti-ransomware solution alongside those endpoint security tools to ensure they have the best chance at disrupting an attack before data can be exfiltrated or systems encrypted.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.