A ransomware negotiation specialist revealed that hackers are increasingly threatening physical harm to employees of targeted companies and their families in order to force the victimized organizations to pay the ransom.
According to a survey of 1500 cybersecurity and IT specialists conducted by Censuswide for Semperis, attackers still most commonly resort to traditional methods of pressuring victims, including system lockdowns (52%) and data destruction (63%). Additionally, almost half of the respondents (47%) from various countries reported that attackers also threatened to file a complaint with regulators and inform them that the company is attempting to conceal information about a serious data breach from the regulator.
But the most alarming conclusion that researchers drew from the survey was that 40% of respondents received threats of physical harm from the attackers.
“Threats of physical violence are truly frightening,” Jeff Wichman, Director of Incident Response at Semperis, told The Register. “I am afraid to imagine what might happen next.”
Before leading the response team at Semperis, Wichman was a professional ransomware negotiator. According to him, attackers often call top executives of affected companies with threats.
“They threatened their families: they knew what websites they visited, what they did at home,” explains Wichman. “The attackers know where the executives live, where their families are, and what school their children attend.”
According to experts, threats of physical harm are usually general in nature to increase tension.
“If I tell you that ‘I’m going to attack your children at school,’ you’ll increase security at the school. But if I just say ‘I’ll get to your family,’ it will be scary to go grocery shopping, to the movies, anywhere,” explains Wichman.
Worse yet, the expert believes that in the future, such threats will occur more frequently and become even more severe.
Overall, the annual report from Semperis paints a rather grim picture. The majority of respondents (78%) have faced attempted ransomware attacks over the past year. This is only slightly less than in 2024 (83%).
However, despite a decrease in the overall number of attacks, companies are taking longer to recover after incidents. Only 23% of respondents stated that they recovered within one day (compared to 39% last year). Meanwhile, 18% needed from one week to one month.
“This is because attackers aim to disrupt the infrastructure as much as possible, forcing organizations to restore it from backups or even start from scratch,” says Wichmann.
The report also notes that, on average, 15% of organizations that paid the ransom never received functional decryption keys, and information from 3% of the affected companies was “leaked” even after the ransom was paid.
“I don’t believe that an organization can pay [the ransom] and consider itself safe,” emphasizes specialist Wichman. “I have seen many cases where attackers promised to delete stolen data but in reality did not. This is valuable information that can be resold. Why not make additional profit from it.”