Stolen Nude Photos & Hacked Defibrillators: Is This The Future Of Ransomware?

The destructive potential of ransomware, the malicious software that is used to extort money from victims, is huge: in the first half of 2017, two major outbreaks, WannaCry and NotPetya, led to service outages from organisations around the world.

A third of the UK’s National Health Service was hit by WannaCry, and the outbreak was estimated by risk modelling firm Cyence to have cost up to $4bn in lost revenues and mitigation expenses.

Then, a month later, NotPetya (so-called because it is not Petya, another type of ransomware with which it was initially mistaken), brought down a significant chunk of the Ukrainian government, pharmaceutical company Merck, shipping firm Maersk, and the advertising agency WPP, as well as the radiation monitoring system at Chernobyl.

But while both outbreaks wrought huge costs on the organisations they infected, they were surprisingly unrewarding for their creators.

The WannaCry payment address has taken just $149,545 (£113,814) to date, while the NotPetya address took much less: £8,456 ($11,181).

The problem the criminals face, says Marcin Kleczynski, the chief executive of information security firm Malwarebytes, is that “people have become desensitised to common ransomware, where it just encrypts your files”.

The criminals hope that people will face the loss of their digital memories, or critical business documents, and pay a few hundred dollars for the key to decrypt them. In practice, says Kleczynski, a growing number of victims simply shrug their shoulders and restore from a backup.

“You look at the bitcoin addresses, they’re not well funded. You see a couple of thousand dollars at best,” he adds. “So how does the criminal step up his or her game?”

Kleczynski, and his colleague, Adam Kujawa, who directs research at Malwarebytes, predict that criminals will evolve new ways of encouraging victims, both corporate and individual, to pay up rather than simply restoring from backups and ignoring the payment request.

New on the scene is a form of ransomware known as “doxware”. “Basically what it says is ‘pay, or we’ll take all the stuff we encrypted and we’ll put it online with your name on it’,” says Kujawa.

The name comes from “doxing”, the term for publishing private information on the Internet to bully, threaten or intimidate, and the idea of automating it isn’t hypothetical.

A number of similar attacks have already occurred in the wild. At one end of the spectrum was the Chimera ransomware, which hit German companies in 2015. The malware encrypted files and asked for around £200 ($260) to return them, but also came with the warning that if victims did not pay up, “we will publish your personal data, photos and videos and your name on the internet”.

Chimera, however, didn’t actually have the capability to publish anything online – the warning was bluster, designed to scare victims into paying up. But in other cases, the threat of publishing data is very real.

In May, hackers stole files from a Lithuanian plastic surgery clinic, containing highly personal information about 25,000 former clients: names, addresses and procedures performed, as well as passport scans, national insurance numbers and nude photos of patients.

They put the database online through the encrypted network Tor, and asked for payments from individual patients to remove their personal information from the site. Prices started at €50 for those patients who just had names and addresses in the site, but rose to €2,000 for the more invasive information stolen.

Recently, HBO faced its own threat, with 1.5TB of video stolen by hackers, including unaired episodes of Game of Thrones, and being held to ransom.
 
But currently, the hack-and-leakers are working on a manual, boutique basis: picking their targets where they can find them, and doing the hard work of monetising the attack manually.

There’s no reason, however, why the same technique can’t be loaded in to a similar piece of software to WannaCry and NotPetya – a so-called “ransomworm”, which jumps from computer to computer automatically, encrypting information as it goes.

With WannaCry, Kleczynski said, the propagation side of the malware was a “cruise missile” – but the actual payload was a rubber bullet. The malware used an exploit stolen from the NSA by a mysterious hacker organisation calling itself the Shadow Brokers, which allowed it to jump between Windows machines with abandon.

A fix for the exploit had only been released a couple of months earlier, and many hadn’t installed it at all, allowing the malware to spread rapidly.

But when it did arrive on computers, it was nowhere near as bad as it could have been. WannaCry was shoddily put together, with a decryption key which was poorly hidden in the computer (allowing some affected machines to be decrypted for free if they hadn’t been restarted), a kill switch, rapidly discovered by a British researcher, that stopped it in its tracks. And even the worst-hit machines could be fixed from backups.

One line of thinking with both WannaCry and NotPetya says the failures to successfully monetise the outbreaks was deliberate.

Security experts have suggested that both malware variants may be the work of state-sponsored actors, WannaCry to N. Korea, according to GCHQ and the NSA, and NotPetya to Russia, according to Ukraine – and there is a possibility that the intention wasn’t to raise money at all, but to provide plausible deniability for simply damaging as many computers as possible.

Both North Korea and Russia have also been linked to hack-and-leak attacks, North Korea is believed to be behind the 2014 hack of Sony Pictures, while Russian actors are linked with the hacks on the Democratic Party during the US General Election. Those attacks show the potential effectiveness of a wider doxware outbreak.

A ransomworm anywhere near the scale of WannaCry that dumped information online would be one of the greatest privacy breaches in history, or one of the greatest moneymaking opportunities ever found through cybercrime. But this is just one potential future for ransomware.

“Imagine somebody that has a botnet,” says Kleczynski, referring to a collection of compromised computers, such as the Mirai botnet made out of millions of hacked Internet of Things devices. “[Imagine them] being able to point it at, say, the British airways ticketing system.”

A so-called distributed denial of service attack, literally overloading the site with traffic from hacked devices, is very difficult to guard against, and as long as it went on it would cost the target millions of dollars a day. “You aren’t holding files hostage, you’re holding uptime hostage. There’s no restoring from backup there.”

Instead of holding uptime hostage, what about drive-time? “Ransomware on your car is definitely possible,” said Craig Smith, research director of transportation at Rapid7. “It’s way easier to secure a car, but it isn’t too hard to put up a ransom screen. And who’s going to risk driving a compromised vehicle?”

Maybe that’s not science fiction enough. In December, an investigation of 10 implantable cardiac defibrillators found “serious protocol and implementation weaknesses”, allowing an attacker to trick the device into keeping its communication channels open until the battery is flat. Holding a heart hostage? You wouldn’t want to try and restore that from a backup.

Guardian

You Might Also Read:

Cyber Wae Takes a New Turn:

The Stage IsSet For Cyber War:

 

« 71% Of SMEs Unprepared For Cyber Risks
The Stage Is Set For Cyber War »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

RioRey

RioRey

The DDoS mitigation specialist, from single server to Enterprise wide carrier level networks the RioRey Solution provides effective immediate and easy to manage protection.

Perkins Coie LLP

Perkins Coie LLP

Perkins Coie LLP is an internationalk law firm with offices across the USA and Asia. Practice areas include Privacy and Data Security.

DoSarrest Internet Security Ltd

DoSarrest Internet Security Ltd

DOSarrest is a fully managed security firm specializing in cloud based DDoS protection services to a worldwide client base.

CERT-SE

CERT-SE

CERT-SE is the national and governmental Computer Security Incident Response Team of Sweden.

Euro-Recycling

Euro-Recycling

Euro-Recycling is a leading UK provider of Secure On-Site Data Media Destruction Services.

Guardian Data Destruction

Guardian Data Destruction

Guardian Data Destruction provides a comprehensive suite of onsite e-data destruction services.

Cube 5

Cube 5

The Cube 5 incubator, located at the Horst Görtz Institute for IT Security (HGI), supports IT security startups and people interested in starting a business in IT security.

Red River

Red River

Red River is a technology transformation company, bringing 25 years of experience and mission-critical expertise in analytics, cloud, collaboration, mobility, networking and security solutions.

Vigilant Technology Solutions

Vigilant Technology Solutions

Vigilant is a global cyber security technology company offering solutions to manage entire IT & cyber security lifecycles.

usecure

usecure

usecure is a global provider of computer-based cyber security awareness training, offering the market’s most time-efficient, cost-effective and admin-lite solution for reducing insider threats.

Quantum Armor

Quantum Armor

Quantum Armor is a next-gen cyber security monitoring platform that allows you to continuously stay aware of your security posture, and proactively spot trends, vulnerabilities and potential attacks.

Reliance Cyber

Reliance Cyber

Reliance Cyber (formerly Reliance ACSN) help to monitor and manage your organisation’s security infrastructure 24/7, so you can make sure all threats and issues are dealt with.

StickmanCyber

StickmanCyber

At StickmanCyber we are on a mission to create a digital world that is safe for everyone - we are your trusted cybersecurity partner.

Fireblocks

Fireblocks

Fireblocks is a digital asset security platform that helps financial institutions protect digital assets from theft or hackers.

Seers

Seers

Seers is the world’s leading privacy & consent management platform for companies worldwide. Trusted by over 50,000+ businesses.

HardTarget

HardTarget

HardTarget is a cutting-edge cyber training company serving HWN (High-Net-Worth) Families and their trusted Advisors.