Fraud Management & Cybercrime
,
Ransomware
‘Oxygen of Publicity’ Helps Intimidate Victims and Recruit Affiliates, Experts Warn
Seeking to maximize profits no matter the cost, ransomware groups have been bolstering their technical prowess and psychological shakedowns with a fresh strategy: weaponized marketing.
See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape
Experts are warning members of the security community and press to beware of getting played by criminals who remain eager to self-mythologize, dis their rivals and overstate their prowess and who don’t mind massaging a few noncriminal egos along the way to get control of the narrative.
“To negate those efforts and deny ransomware gangs the oxygen of publicity they’re seeking,” a report from Sophos recommends that researchers and journalists never name ransomware groups “unless it’s purely factual and in the public interest.” Ransomware observers should always avoid glorifying criminals’ efforts and never engage with such groups “unless it’s in the public interest or provides actionable information and intelligence for defenders.”
Recommendations to avoid glorifying criminals don’t come in a vacuum.
Evidence suggests ransomware groups work overtime to court researchers and journalists. Heavyweight LockBit uses dedicated channels on the encrypted messaging system Tox “to communicate with other criminals, journalists and researchers,” and even runs its own bug bounty program, reports Jon DiMaggio, chief security strategist at Analyst1 (see: Victim of Its Own Ransomware Success: LockBit Has Problems).
On their data leak sites, the RansomHouse and 8Base groups promise to share with journalists, via their “PR Telegram channel,” information about victims hours or days before it gets “officially published.” Other groups – including Rhysida, Snatch and Vice Society – give shoutouts to journalists on their leak sites or media FAQs, and Karakurt is one of a number of operations that maintains a “press release” page containing twisted missives, Sophos said.
In the old days, boasting about committing crimes seemed to be a fast track to prison. Ransomware groups have torn up this rulebook. They can’t wait to tell everyone what they’ve done – or at least deliver their sugarcoated version of it.
“Some ransomware gangs have given interviews to journalists, in which they provide a largely positive perspective of their activities – potentially as a recruitment tool,” Sophos said. “Others have been more hostile to what they see as inaccurate coverage, and have insulted both publications and individual journalists.”
What do groups have to lose? Many continue to operate from Russia, and the Kremlin seems willing to ignore such activity, so long as it never targets Russians.
Another reason many ransomware groups seem to have embraced publicity is because they’re already running very public data leak sites that stand as testament to their criminal prowess, displaying the virtual pelts of enemies who failed to yield. Those sites serve as a warning to future victims: Pay up and pay quickly when we demand our ransom, or we’ll name and shame you and leak your stolen data. Some go even further, by reporting the breach to a victim’s customers or to regulators. Of course, their next step is clear: to boast about doing so.
Spin Cycle
To hear ransomware groups tell it, they never extort victims. Instead, they’re providing a service: penetration-testing victims’ networks and conducting security audits. Groups will also claim to never hit organizations in certain sectors, such as healthcare. In fact, they often do so, thanks to their “infect first, figure out who it is later” approach. If attacks lead to bad press, perhaps because they have disrupted hospitals, the group might loudly proclaim that it has gifted the victim a “free” decryptor and in the pursuit of “ethical data management,” pledge to not leak stolen data. In reality, such moves can’t erase the time-consuming, expensive, disruptive and fraught – not least for patients – process of dealing with the aftermath of an attack and restoring systems and data.
Groups’ self-mythologizing and notoriety-building not only frightens potential victims but helps ransomware-as-a-service groups distinguish themselves from rivals and recruit better affiliates.
As the Sophos report warns, researchers and journalists who uncritically repeat ransomware groups’ claims or language risk bolstering criminals’ prowess. As the hundreds of millions of dollars’ worth of cryptocurrency that flows every year to ransomware groups demonstrates, they don’t need anyone’s help.