When ransomware gets physical: cybercriminals turn to threats of violence

For years, ransomware has been a crime committed at arm's length. Hackers in one country, victims in another. The only weapon is the hackers' threat to release stolen data, or leave your systems permanently encrypted.

But that's changing.

As a BBC News report describes, a growing number of online extortionists are no longer content with locking up your files and threatening to leak your data. Instead, they are making threats to hurt their victims. Or their families. Or staff who refuse to pay up.

A study last year by identity security firm Semperis found that 40% of ransomware attacks saw criminals threatening physical violence against employees who refused to pay.

In the United States that figure rose to 46%.

A spokesperson for Semperis, which helps organisations negotiate with ransomware attackers, told BBC News that one gang had left a threatening note on his own doorstep while he was working an incident for a US government agency.

In another case, Zac Warren of security firm Tanium described how a ransomware-hit hospital had received phone calls, where callers asked for nurses by name, and then recited their home addresses and social security numbers down the line.

The theory is that hackers themselves are unlikely want to get their own hands dirty in such intimidatory tactics, but instead post on message boards, offer cash, and recruit somebody local to do it for them.

I guess you can call it violence-as-a-service.

And the FBI has been taking note. Last summer it issued an alert about the loose-affiliated cybercriminal network known as "The Com", which is said to have sometimes resorted to violent tactics such as throwing bricks through windows, arson, kidnapping, and even shootings.

Some of the most disturbing instances of cybercrime spilling out into physical violence can be found where cryptocurrency and organised crime intertwine.

Last May, French police rescued the father of a cryptocurrency millionaire who had been kidnapped and held for ransom in a Paris suburb. According to reports the victim had one of his fingers cut off. More than 18 similar attacks against holders of large sums of cryptocurrency holders were reported across Europe last year.

With physical threats seemingly becoming more common than ever before, it's clearly important for defenders to learn some lessons.

Firstly, the personal information held by a company about its staff - such as home addresses and family details - must be considered critically important to protect. If hackers break into your network you are not just facing the threat of customer records and intellectual property being stolen, but also the material which could be used for intimidation.

Secondly, incident response plans must be looked at again. It is one thing to have a plan for restoring your company from backups, but it is quite another to have a plan for what to do when a member of staff takes a phone call from a stranger who knows their home address.