Now BlackCat extortionists threaten to leak stolen plastic surgery pics

Ransomware gang BlackCat claims it infected a plastic surgery center, stole "lots" of highly sensitive medical records, and has vowed to leak patients' photos if the clinic doesn't pay up.

The notorious extortion crew, aka AlphaV, on Wednesday added the Beverly Hills Plastic Surgery to its list of compromised organizations, and bragged about swiping people's personal information and healthcare records, "including a lot of pictures of patients that they woud [sic] not want out there."

The note continued: "Leak to follow if no contact made."

Beverly Hills Plastic Surgery did not immediately respond to The Register's inquiries. We will update this story if and when we hear back from the California clinic.

The ransomware-as-a-service group's affiliates have been especially active lately, threatening to leak stolen Reddit data from a February intrusion and also posting sensitive information belonging to Australian federal agencies and banks after breaching law firm HWL Ebsworth earlier this year.

While threatening to make public before-and-after photos of nose jobs — and presumably more NSFW surgical enhancement pictures — is especially repulsive, even for criminals, it's not as original as it seems.

As Emsisoft Threat Analyst Brett Callow, who posted a screenshot of the miscreants' leak threat, pointed out: "This is not the first time a ransomware operation has threatened to release photos of cosmetic surgery photos."

REvil did it back in 2020 after breaching The Hospital Group, which claims to be the UK's top weight loss and cosmetic surgery group.

• Reddit confirms BlackCat gang pinched some data
• FBI: BlackCat ransomware scratched 60-plus orgs
• Cancer patient sues hospital after ransomware gang leaks her nude medical photos
• Data leak at major law firm sets Australia's government and elites scrambling

More recently, other extortionists have become more personal in their threats, especially as they increasingly target hospitals and other healthcare organizations entrusted with protecting very sensitive and private information.

In February, BlackCat broke into an American healthcare provider — Lehigh Valley Health Network (LVHN) — and stole images of patients undergoing radiation oncology treatment along with other health records belonging to more than 75,000 people before posting at least some of that data online.

A cancer patient whose nude medical photos and records were shared sued LVHN for allowing the "preventable" and "seriously damaging" leak.

If the gang's latest claims turn out to be true, and BlackCat did steal patient photos and protected health info belonging to Beverly Hills Plastic Surgery's clients, we'd expect to see similar lawsuits in the near future. ®