Crooks hold nude plastic surgery pictures to ransom after break-in

A group calling itself the Tsar Team has published and ransomed at least 25,000 photos of before/after/some nude plastic surgery clients, along with patients’ private data.

According to Lithuanian police, the hackers broke into the servers of the Grozio Chirurgija chain of clinics earlier this year and demanded ransoms from the clinic’s clients in more than 60 countries around the world, including Germany, Denmark, Norway and other EU countries.

According to the Guardian, that includes more than 1,500 British patients. The purloined database also includes before and after nude images of celebrities.

Police told reporters that the crooks’ initial demand for the entire database was 300 bitcoin. As of Wednesday, that worked out to about $692,814 USD; £537,481; or €616,849.

The clinic refused to pay. The Tsar Team released a portion of the database in March, then the rest of it on Tuesday. But between those two releases, the thieves also carved it up, patient by patient, to try to shake down each one individually.

It’s unclear how many people have been extorted, but police said that dozens have come forward to report the blackmail.

Deputy chief of Lithuania’s criminal police bureau Andzejus Raginskis:

It’s extortion. We’re talking about a serious crime.

According to the Guardian, individual patients were being hit up for bitcoin payments worth between €50 and €2,000, depending on the sensitivity of the stolen data. For example: they were bumping up the ransom for nude photos, passport scans and National Insurance numbers.

For those who might be tempted into a Celebgate-ish, nude-celebs curiosity jag, the police warned that any “leechers” who download and store the stolen data could also be prosecuted.

The thieves have since reduced the ransom for the full database to 50 bitcoin ($115,292 USD; £103,605).

Who is Tsar Team? The crooks are either using a name associated with the APT28 or Fancy Bear espionage group in order to throw law enforcement off their tracks, or they’re actually Fancy Bear.

That’s the hacker group implicated in tampering with the US presidential election, including the Democratic National Committee leak, as well as attacks on En Marche and the Konrad Adenauer Foundation.

CrowdStrike, the security firm that the DNC called on for help following its leak, identified two “sophisticated adversaries” on the network of the formal governing body for the US Democratic Party.

According to CTO and co-founder Dmitri Alperovitch, the two adversaries used the handles Cozy Bear and Fancy Bear – groups believed to be closely linked to Russia’s intelligence services.

But as the Guardian points out, we don’t really know if the hackers that attacked Grozio Chirurgija are linked to Fancy Bear/APT28, or if they merely borrowed the name in order to spread disinformation.

Besides the “who’s extorting us” question, of course, is the more immediate quandary for patients:  the “should I pay?” dilemma.

Naked Security has mostly stuck to a neutral stance on the issue. After all, some organizations, such as hospitals, can feel like they simply have no choice.

But this is different. This is definitely a “don’t pay” case, says fellow Naked Security writer Paul Ducklin.

After all, if you do pay up, you first have to trust the crooks not to release the photos later anyway (or not to come back for more money), and then you have to trust them not to suffer a breach of their very own with the data they stole.

In other words, even if you trust them not to screw you over a second time on purpose, you also have to trust them not to screw you over a second time by mistake and thereby to allow someone else to screw you over a third time on purpose…

…and so on, ad infinitum.