Ransomware actors ‘tighten the screws’ with legal and financial pressures

In a December 2023 report, cybersecurity company Sophos pointed to a cybercrime job offer of sorts, titled “Analysis of financial and legal vulnerabilities for negotiations”—an atypical label for a ransomware-specific post, perhaps, given that the cybercrime is often considered a technical affair involving intrusion and encryption.

In the event of negotiation breakdown, applicants would be expected to perform “assessment of developments, research, marketing strategy, prospects, etc. for further sale to competitors.”

If the forum request is to be believed, ransomware actors are testing out a less technical way of adding pressure to an already overwhelmed victim: bringing in finance and legal pros.

“There’s a lot of pressure to make very fast decisions about how to recover the business, and I think this is just them trying to tighten the screws a little bit,” Chester Wisniewski, director and global field CTO at Sophos, told IT Brew.

In its December post, Sophos contributors saw the request as “an attempt to recruit someone to help extort companies into paying a ransom, by finding compromising information which threat actors could use to apply pressure during negotiations.”

Extortion, squared. A threat known as “double extortion” occurs when ransomware actors both encrypt and exfiltrate data, to use the lost data as leverage for ransom.

Network-security company WatchGuard Technologies noticed a “sharp increase” in double extortions from Q2 2023 to Q3: 71.8%.

In the fourth quarter of the year, extortion reached the SEC, as the ALPHV/BlackCat ransomware operation filed a complaint to the commission for one victim’s noncompliance.

Jon Marler, cybersecurity evangelist at cybersecurity and compliance company VikingCloud, views such tattling tactics as self-defeating obstacles to ransomware actors who just want to get paid.

“I see that more used as a threat than actually notifying [the SEC], because it’s just not good for business,” Marler told us.

Cybercriminals, however, like to try out ideas on how to better extort victims into paying, and a forum query asking for financial and legal expertise is one more A/B test, according to Wisniewski. “If they're successful at it, we could expect all kinds of groups to copycat this,” he said.

Job posts like the one Sophos found exemplify a trend he’s seeing: Ransomware actors are requiring expertise that’s less technical and more social.

“They’re not looking for new tools that better help them exploit Active Directory or make encryption 10% faster. They recognize the way to make more money is simply human,” Wisniewski added.