top of page

Ransomware extortion tactics just got personal!

Ransomware attacks have evolved into "a psychological assault on the victim organisation," with cybercriminals employing more personal and aggressive strategies to coerce victims into paying, according to Mandiant, a firm owned by Google.

At the Google Security Threat Intelligence Panel at this year's RSA Conference in San Francisco (6th-9th May) , Mandiant's CTO, Charles Carmakal, shared examples where threat actors went as far as swapping the SIM cards of executives' children's phones and making calls to the executives using their children's phone numbers.

Consider the mental turmoil experienced by the executive in such a situation – receiving a call from their children, answering the phone, and hearing a stranger's voice on the other end.

Sometimes, it involves caller ID spoofing, while in other cases, there were instances of SIM swapping within the family. This is the process of engaging a telecommunications provider and coercing the PAC code from them and transferring the phone number to another threat actor controlled network.

The evolution of ransomware tactics has reached a critical stage, surpassing the mere encryption of victims' files and data theft. In recent years, attacks have been reported that go beyond imagination, diverting ambulances, obstructing patients from accessing vital medications and services, exposing intimate photos of cancer fighters, and even targeting patients at their own homes through swatting incidents.

These despicable and often aggressive acts of extortion demonstrate that certain threat actors have no boundaries when it comes to coercing their victims. They have gone beyond targeting companies and their data, and have now shifted their focus towards harming individuals, physically or psychologically.

This shift in approach has changed the dynamics of deciding whether to pay the ransom. It is no longer solely about protecting customers, but also about safeguarding employees and their families.

John Hultquist, the chief analyst at Mandiant, characterised the evolution of digital crime as a shift from fraud. Initially, cybercrime threat intelligence was primarily a concern for banks and the retail industry, with many people not paying much attention to it. However, the emergence of cryptocurrency changed the landscape by making it easier for criminals to profit from digital crime.

This led to a progression from disruption to extortion, and the problem continues to worsen. Criminals now have various options to accept ransom payments, and they are willing to employ any means necessary to force organisations to comply.

These new tactics of extortion are particularly concerning for hospitals, biotech firms, and other healthcare companies, as they store a significant amount of personal and sensitive health information.

However, any other organisations in possession of potentially sensitive data, particularly that which may cause distress to the public, could well be an attractive target to threat actors.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page