Extortion crew threatened to inform Edward Snowden (?!) if victim didn’t pay up

March 18, 2025 TH Author

Dark web analysts at infosec software vendor Fortra have discovered an extortion crew named Ox Thief that threatened to contact Edward Snowden if a victim didn’t pay to protect its data – a warning that may be an indicator of tough times in the ransomware world for some, at least.

Ox Thief at first stuck to the tried-and-tested racket, claiming on its Tor-hidden site to have stolen 47 GB of “highly sensitive files” from an organization, offering samples of those files for download so its victim could verify its claims, and then threatening to publish the material unless the org paid a ransom demand.

Then it went off-script, posting a lengthy list of possible consequences that could befall the victim if it didn’t pay. Those include jail time for breaches of data leak liability laws, huge fines, class-action lawsuits, negative news coverage, reputational damage, and incident-response costs.

Ox Thief’s leak site even includes case studies of “real data breach cases” that detail high-profile breaches such as Capital One’s 2019 security SNAFU and Uber’s 2016 security breach cover-up.

The crew also threatens to contact infosec journo Brian Krebs, Have I Been Pwned founder Troy Hunt, the Electronic Frontier Foundation (EFF), the European Center for Digital Rights’ privacy advocacy group NYOB, and even Edward Snowden if the victim doesn’t meet the ransom demand.

They are outlining in painful detail threats to fast-track the legal, governmental, and press consequences

We’ve seen this sort of thing before, for example from the likes of ransomware gang ALPHV which in 2023 filed an SEC complaint against fintech firm MeridianLink for failing to notify the American financial regulator of a significant security breach.

Fortra’s domain and dark web monitoring services senior manager Nick Oram thinks Ox Thief’s tactics are a new and noteworthy escalation.

“While ransomware groups adopt a variety of tactics to increase their success, this is the first time they are outlining in painful detail threats to fast-track the legal, governmental, and press consequences associated with a breach,” Oram said in a briefing shared with The Register.

“Ox Thief’s’ approach marks a concerning evolution in ransomware tactics, leveraging legal liability and media scrutiny to pressure victims into compliance,” he added. “By explicitly outlining potential fines, class action lawsuits, and government penalties, the group is attempting to reframe the cost-benefit analysis of paying versus resisting extortion.”

Ox Thief may also be trying to do something about its own costs: Oram thinks ransomware payments are falling, leading crims to try new tactics in pursuit of a payday.

“Understanding these evolving methods helps organizations better prepare, strengthen defenses, and refine response strategies to mitigate both technical and reputational risks,” Oram said.

Crew claims collide

Threat intel analysts spotted Ox Thief earlier this month, after the extortionists claimed to have compromised Broker Educational Sales & Training (BEST), a company that provides continuing education programs for insurance and financial professionals.

The crooks bragged about stealing employee personal data, client and company information, financial reports, insurance documents, contracts, and other information from company databases. No information is available on the ransomware, if any, used in the attack, so it could be purely extortion.

To be clear: The Register has not independently verified Ox Thief’s claims, or its alleged data theft.

Complicating matters further, threat intelligence outfit FalconFeeds recently noted that Medusa ransomware affiliates also claimed to have infected and stolen data from BEST in December 2024.

It’s possible the two intrusions are related, or that Ox Thief came into possession of the purloined files.

Or perhaps this mess is Medusa again changing its tactics, as we reported last week after US authorities reported an instance of “triple extortion” that saw one of the gang’s affiliated orgs demand a third payment.

BEST did not immediately respond to The Register‘s questions about the alleged digital break-ins. We will update this story if the education firm responds with substantial information. ®