Just when you think bad actors cannot sink any lower, they find a way to. In a recent chilling evolution of ransomware tactics, attackers are now also targeting the families of corporate executives to force compliance and payment.
Mandiant's Chief Technology Officer, Charles Carmakal, highlighted this disturbing trend at RSA last week: criminals engaging in SIM swapping attacks against executives' children.
The attackers then use the children's phone numbers to make threatening calls directly to the executives, creating a highly stressful negotiating environment.
This tactic is a troublesome shift in ransomware "operations" from merely disrupting company operations to attempting to directly target their families. By exploiting personal connections, attackers amplify the psychological impact, forcing executives to make decisions under extreme stress.
Ransomware attacks have mutated over time, in parallel with the strains of the code itself. The landscape keeps changing, with some of the recent tactics including:
- Direct threats to executives and their family members, often at their own homes.
- Disruptive actions against critical services, such as diverting ambulances and accessing sensitive health information.
For organizations in mission-critical industries and sensitive sectors like healthcare, the stakes are higher than ever. These organizations, which handle vast amounts of personal and health-related information, find themselves facing not just operational disruptions but also ethical dilemmas about whether to comply with extortion demands, especially when these involve sanctioned entities.
"And it can be an impossible choice," Mandiant's head of global intelligence Sandra Joyce added. "If it's an OFAC or sanctioned country that you're paying a ransom to, that's a violation. But if you don't pay, and there's a business disruption or personal, private information [is leaked]. It's the worst day of their career having to deal with something like that."
May 1, 2024, UnitedHealth CEO Andrew Witty told tell US lawmakers: "As chief executive officer, the decision to pay a [$22 million] ransom was mine," as Witty put it in written testimony [PDF] he delivered to the House Energy and Commerce Committee. "This was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."
Making sure this does not happen to your own org boils down mostly to three things:
- Patch all known software vulnerabilities ASAP
- Step all staff from the mailroom to the boardroom through new-school security awareness training
- Use phishing-resistant MFA
CISA also recommends the very same things, see their #StopRansomware May 10 advisory regarding Black Basta