RSAC Ransomware infections and extortion attacks have become “a psychological attack against the victim organization,” as criminals use increasingly personal and aggressive tactics to force victims to pay up, according to Google-owned Mandiant.

“We saw situations where threat actors essentially SIM swap the phones of children of executives, and start making phone calls to executives, from the phone numbers of their children,” Charles Carmakal, Mandiant’s CTO, recounted during a Google Security Threat Intelligence Panel at this year’s RSA Conference in San Francisco on Monday.

“Think about the psychological dilemma that the executive goes through – seeing a phone call from the children, picking up the phone and hearing that it’s somebody else’s voice? Sometimes, it’s caller ID spoofing. Other times, we see demonstrated SIM swapping family members.” Either way, it’s horrifying.

Seeing a phone call from the children, picking up the phone, and hearing that it’s somebody else’s voice…

It’s the next step in the evolution of ransomware tactics, which have now moved far beyond simply encrypting victims’ files and even stealing their data. 

Over the past couple of years, we’ve seen attacks that have diverted ambulances, prevented patients from accessing critical medications and services, leaked cancer battlers’ nudes, swatted patients at their homes – and all manner of other vile extortion attempts.

“There are a few threat actors that really have no rules of engagement in terms of how far [they] try to coerce victims,” Carmakal noted, recalling ransomware incidents in which the criminals have directly contacted executives, their family members, and board members at their homes.

The criminals have moved from just staging an attack against a company, its customers and their data, and becomes “more against the people,” he added. 

It changes the calculation involved in deciding whether to pay the extortion demand, Carmakal said. “It’s less about ‘do I need to protect my customers?’ But more about ‘how do I better protect my employees and protect the families of employees?’ That’s a pretty scary shift.” 

Mandiant chief analyst John Hultquist described it as “the transformation from fraud” – as digital crime has evolved from something that was primarily a problem for banks and the retail industry, to a problem that affects all sectors of the economy.

“The people who bought cybercrime threat intelligence [used to be] in the retail space and in financials,” he explained. “A lot of people didn’t care about it.”

Cryptocurrency changed that, because it made it easier to monetize digital crime, Hultquist added. “And that led to this progressive track from disruption to extortion. And then it continues to metastasize and get worse.”

Criminals now have a “very easy” way of accepting victims’ payments, and they are willing to take “any number of options” to force organizations to pay the ransom demand, he said.

This, according to the Google-Mandiant team, becomes especially top-of-mind for hospitals, biotech firms, and other healthcare companies – which are increasingly becoming extortion targets because their IT departments store so much personal information and sensitive health records.

“And it can be an impossible choice,” Mandiant’s head of global intelligence Sandra Joyce added. “If it’s an OFAC or sanctioned country that you’re paying a ransom to, that’s a violation. But if you don’t pay, and there’s a business disruption or personal, private information [is leaked]. It’s the worst day of their career having to deal with something like that.” ®