Cybercriminal extortionists have adopted a new tactic to apply even more pressure on their corporate victims: contacting the victims’ customers, and asking them to demand a ransom is paid to protect their own privacy.

At the end of March, Bleeping Computer reported that the Clop ransomware gang had not stopped at threatening hacked companies and contacting journalists, but had taken the additional step of direct emailing victims’ customers whose details had been found in stolen data.

Organisations whose customers and commercial partners have been contacted include a hacked bank, a manufacturer of business jets, an online maternity clothing store.

Separately, security blogger Brian Krebs reports that a chain of gas convenience stores and a university in the United States have been similarly singled out for such unwanted attention following a ransomware attack.

It appears that similar emails have been sent, encouraging recipients to apply pressure on the organisation that is being extorted to pay up – or personal data will be published.

A typical email reads as follows:

Good day! If you received this letter, you are a customer, buyer, partner or employee of <victim organisation>. The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data. We inform you that information about you will be published on the darknet ( <link> ) if the company does not contact us. Call or write to this store and ask to protect your privacy!!!!

This is just the latest example of how ransomware gangs have raised the pressure on their victims. Initially, ransomware attacks simply locked companies out of their data until a ransom was paid. Then, cybercriminals exfiltrated sensitive data and threatened to release it if their demands were not met. Some ransomware gangs even created websites to publicise their successful hacks, publishing the equivalent of “press releases” about those customers who would not pay up.

In perhaps the most disgusting ransomware attacks I have ever read about, one gang stole the private details of confidential psychotherapy sessions at a chain of Finnish therapy clinics, and threatened patients that they would be released if payment was not made.

It must be hard enough for any organisation to handle a ransomware attack, without also having the headache of your extortionists actively contacting your staff, customers, or partners in an attempt to apply even more pressure on you to pay up.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.