Gone are the days of dark, hooded figures and 8-bit skull-and-bones graphics — ransomware groups are increasingly adopting a more open, quasi-corporate strategy with the media, with the added benefit of ratcheting up the pressure for victims to pay them.
As Sophos X-Ops outlined in a report this week, more and less notorious groups like Royal, the Play, and RansomHouse are increasingly engaging with journalists. The relationship is dubious yet mutually beneficial: Reporters get scoops straight from primary (albeit unreliable) sources, while hackers get to expose their victims or, in certain high-profile cases, correct the record.
“This shows that they’re true hackers,” says Christopher Budd, director of threat intelligence for Sophos X-Ops. “Now they’re trying to hack the information sphere, as well as the technical sphere.”
Cybercriminals in Corporate Clothing
Ransomware groups nowadays offer channels for direct communication, and not just for victims. There are PR-oriented Telegram channels and standard-fare “Contact Us” forms, as well as helpful information and FAQs to supplement them.
The big idea is that, by broadcasting their exploits in the news, ransomware actors invite public pressure on their victims, as well as pressure from their suppliers, customers, and so on.
This much is implied or, often, specifically highlighted in ransom notes. For instance, Sophos recently observed a Royal ransom note expressing how “anyone on the internet from darknet criminals … journalists … and even your employees will be able to see your internal documentation” if the ransom deadline wasn’t met.
An extreme example of this sort of tactic occurred a month ago, when the ALPHV group (aka BlackCat) filed an official complaint with the US Securities and Exchange Commission, citing how its victim failed to report its ransomware attack within the newly proposed window for data breach disclosures. Those new rules hadn’t yet been in effect at the time, but the stunt certainly attracted headlines.
News coverage has other knock-on benefits, as well. Besides the ego boost, if a group like The Play links to Dark Reading coverage on its leak site, it lends it credibility, giving victims the impression that they’re the real deal.
A Dark Reading article reposted by The Play (Source: Sophos X-Ops)
Attackers in Analysts’ Attire
Not all ransomware-ers are meeting the media with equal levity. Notorious groups like Cl0p and LockBit have recently engaged with the outside world on more hostile terms.
And while it sometimes comes out as petty or posturing, at other times even these conflicts are handled with a degree of professionalism.
For instance, in response to initial reports containing purportedly incorrect information about the MGM attack, ALPHV published a 1,300-word statement. “In trying to assert their authority and take their claim, they actually published what amounts to threat research — the type of stuff that security companies do. And they provided some fairly objective, detailed technical explanation about the actions they’d taken,” Budd explains.
“It reads like something that we would publish,” he adds. “They are consciously adopting some of the principles that we in the security space use on a day-to-day basis.”
Source: www.darkreading.com