Image Extortion: A Sinister new Tactic for Ransomware

When the pandemic-fueled surge in ransomware first began, threat actors largely employed the same tactics. They would encrypt mission-critical files that kept devices working and charge for the decryption key.

But cybersecurity vendors quickly found ways to block these attacks. Now, targets who have access to secure backups can simply restore their systems and ignore hackers’ demands.

But this year we’ve seen cybercriminal groups change their approach once again. Now they’re less interested in encrypting data, and more interested in exfiltrating personal data, utilizing image extortion, to humiliate, and shame victims into paying up.

Along with areas such as government and education, the healthcare sector is a particularly valuable target for image extortion. Hackers are increasingly stealing sensitive patient information – including nude images and preoperative or postoperative photos – and threatening to post those images publicly.

In July 2023, one California-based plastic surgeon had to notify patients that some of the most intimate information about themselves was about to be made public. A few months earlier, the BlackCat ransomware gang published naked images of patients stolen from the Lehigh Valley Health Network after the organization refused to pay the gang’s ransom.

Cybercriminal groups understand the pressure that healthcare organizations are under to protect patient data, and the level of trust people place in their providers. By abusing that trust and weaponizing the data, they hope to force their victims to pay to keep sensitive data out of the wrong hands.

Unfortunately, in this scenario you’re negotiating with criminals and there is no way of knowing if a cybercriminal group will keep its word. Once they have access to a victim’s sensitive data, they can continue to extort that person (or the institution entrusted with that data) for years to come.

In the event that hackers do publish sensitive photos online, there is a risk that other people may access and abuse those materials to extort money directly from the victims as well. For patients of healthcare organizations that have been targeted by cybercriminal groups, this kind of data breach can lead to a lifelong cycle of constant extortion.

These attacks highlight the emotional damage that hackers seek to cause when disrupting healthcare operations and extorting patients. Beyond the emotional impact of having deeply intimate photos published online, many patients lose highly sensitive data like their names, addresses, Social Security Numbers, and more, to hackers in the process.

This puts them at severe risk of identity theft. Hackers who are not satisfied with the results of image extortion and publishing sensitive images online can take the additional step of impersonating victims’ identities entirely. They may take out loans in the victims’ names, fill out credit applications, and spend money freely – knowing that creditors will eventually catch up to the victims and demand that money back.

This emphasizes the importance of preventing data breaches entirely. Healthcare organizations can’t guarantee that patient data will remain secure even if they decide to accept the extortion demands made by cybercriminal groups. The fact that the data is out there, in the hands of career criminals, practically ensures it will be used one way or another.

Until recently, defending against encryption-based ransomware was the primary focus for many security leaders in the healthcare industry, but now that cybercriminal groups have evolved to data exfiltration and double extortion attacks, security leaders must adapt again.

Comprehensive backups have proven to be an effective defense against ransomware, but they do not protect against double extortion attacks that include image extortion and the publishing of sensitive data. There are no response or remediation tactics that can guarantee sensitive patient data remains secure after it has been breached.

That means security leaders at healthcare organizations must focus on prevention-based strategies. The best way to protect patient data from extortion attempts is to block hackers from ever gaining access to that data in the first place.

There are several steps security leaders can take to improve their prevention capabilities against this type of threat:

Trusting cybercriminals to keep their word is a gamble very few security leaders want to take. Cybercriminals have no incentive to prevent sensitive patient data from leaking except for the chance to extort victims again in the future.

As a security leader responsible for keeping that data confidential and secure, you can’t trust that paying the ransom will make a difference. At best, it will delay hackers from monetizing the data they stole in other ways. Eventually they will run out of money and look for new opportunities to abuse that data for their own benefit.

Prevention remains the best approach for navigating this sinister new threat vector. Implementing robust prevention-based policies and securing them with best-in-class technology like BlackFog’s anti data exfiltration solution gives healthcare organizations the most effective defense against extortion tactics that rely on stealing sensitive data and imagery.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.