Extortionists are now threatening to swat hospital patients — calling in bomb threats or other bogus reports to the police so heavily armed cops show up at victims' homes — if the medical centers don't pay the crooks' ransom demands.
After intruders broke into Seattle's Fred Hutchinson Cancer Center's IT network in November and stole medical records – everything from Social Security numbers to diagnoses and lab results – miscreants threatened to turn on the patients themselves directly.
The idea being, it seems, that those patients and the media coverage from any swatting will put pressure on the US hospital to pay up and end the extortion. Other crews do similar when attacking IT service provider: they don't just extort the suppliers, they also threaten or further extort customers of those providers.
"Fred Hutchinson Cancer Center was aware of cyber criminals issuing swatting threats and immediately notified the FBI and Seattle police, who notified the local police," a spokesperson told The Register today. "The FBI, as part of its investigation into the cybersecurity incident, also investigated these threats."
The cancer center, which operates more than 10 clinics in Washington's Puget Sound region, declined to answer additional comments about the threats.
Another health network in Oklahoma — Integris Health, which operates a network of 15 hospitals and 43 clinics — last month notified patients about a similar "cyber event" in which criminals may have accessed personal data. Shortly after, some of these patients reported receiving emails from miscreants threatening to sell their information on the dark web.
"As we work with third-party specialists to investigate this matter and determine the scope of affected data and to whom that data relates, we are providing the latest information for patients and the public here," a spokesperson for Integris told The Register.
"As we confirm affected individuals, we are reaching out to them to provide notification and support, including 24 months of access to free credit monitoring and identity protection services. As our investigation into this matter is ongoing, we are unable to provide additional information at this time."
These kind of boilerplate responses may not be as reassuring as some corporate types think. This latest swatting threat raises worrying questions as to how far criminals are willing to go in their pursuit of loot.
"Ransoms have been allowed to reach lottery jackpot levels, and the predictable upshot is that people are willing to use more and more extreme measures to collect a payout," Emsisoft threat analyst Brett Callow told The Register.
Earlier this week, the security shop called for a complete ban on ransom payments, noting that extortion tactics were becoming more extreme and now include swatting threats.
"Unfortunately, I think it's only a matter of time before cybercriminals start to use real-world violence to support cyber-extortion," Callow said. "Assuming they haven't already, that is."
Sam Rubin, VP of Unit 42 Consulting at Palo Alto Networks, told The Register his team hadn't seen any swatting attempts by extortion crews in 2023, though the shift in tactics seems likely.
"But I'm not surprised at all," he added, about the reports of Seattle cancer patients potentially receiving these types of threats.
"If you look over the past couple of years, we've seen this continuing evolution of escalating extortion tactics," Rubin said. "If you go back in time, it was just encryption."
Over the past year, Unit 42 has seen cybercriminals send threatening texts to the spouse of a CEO whose organization was being extorted, Rubin added, again piling on the pressure for payment. The consulting and incident response unit has also witnessed miscreants sending flowers to a victim company's executive team, and issuing ransom demands via printers connected to the affected firm's network.
"We had another one where the victim organization decided not to pay, but then the ransomware actors went on to harass customers of that organization," Rubin said. "They came back to us and said they regretted the decision [not to pay] because of the reputational impact of the threat actor going to their customers."
These criminals, he added, "are trying to change the balance of leverage to force that payment."
Meanwhile, ransomware attacks against critical infrastructure including hospitals become more frequent. Emsisoft reported 46 infections against US hospitals networks last year alone, up from 25 in 2022. In total, at least 141 hospitals were infected, and at least 32 of the 46 networks had data — including protected health information — stolen.
It's bad enough that these attacks have diverted ambulances and postponed critical care for patients, and now the criminals are inflicting even more pain on people. Last year this included leaking breast cancer patients' nudes. Swatting seems to be the next, albeit abhorrent, step.