Fortra researchers have uncovered a new ransomware group, Ox Thief, which employs unconventional pressure tactics against its victims. In a recent case, the perpetrators threatened to contact Edward Snowden if their demands were not met—an unusual move that may indicate growing difficulties for some cybercriminals in securing ransom payments.
Ox Thief initially followed a conventional extortion playbook: the group claimed on its Tor site to have stolen 47GB of highly sensitive files from a company. To substantiate their claims, the hackers released sample data and warned that the full dataset would be published if the ransom was not paid.
However, the extortion scheme quickly deviated from the usual pattern. The attackers published an extensive list of potential consequences for non-compliance, including lawsuits, multimillion-dollar fines, criminal liability, reputational damage, and significant incident response costs. To reinforce their threats, they cited high-profile breaches such as the 2019 Capital One breach and the 2016 Uber hack as cautionary examples.
Ox Thief also vowed to draw the attention of prominent cybersecurity experts and advocacy organizations, including journalist Brian Krebs, Have I Been Pwned founder Troy Hunt, the Electronic Frontier Foundation (EFF), and the privacy rights group NYOB. Notably, Edward Snowden was among those named as a potential “informant”—a move seemingly designed to heighten the pressure on victims.
This approach echoes tactics previously employed by the ALPHV/BlackCat group, which in 2023 filed a complaint with the SEC against MeridianLink for allegedly concealing a data breach. However, Fortra analysts believe Ox Thief’s methods represent an evolution in ransomware extortion, as attackers now leverage not only psychological pressure but also the fear of legal repercussions and regulatory scrutiny.
Moreover, this shift in strategy may be linked to a decline in ransom payments. As organizations become increasingly resistant to extortion, cybercriminals are compelled to devise more aggressive and innovative coercion tactics.
Ox Thief first surfaced in early March after claiming responsibility for breaching Broker Educational Sales & Training (BEST), a firm specializing in financial and insurance professional training. The hackers alleged they had exfiltrated employees’ personal data, financial reports, insurance documents, and contracts. However, no independent confirmation of the breach has been established.
Further complicating the situation, a separate ransomware group, Medusa, had previously made identical claims regarding a breach of BEST. In December 2024, Medusa operatives also asserted they had stolen the company’s data. At this stage, it remains unclear whether these attacks are linked, whether the stolen files are authentic, or if Ox Thief merely capitalized on a pre-existing data leak orchestrated by another threat actor. BEST has yet to issue any official statement regarding the incident.
