Cybercriminals are adopting a new strategy in their ransomware demands—embedding advertisements to recruit insiders willing to leak company data.
Threat intelligence researchers at GroupSense recently shared their findings with Dark Reading, highlighting this emerging tactic. According to their analysis, ransomware groups such as Sarcoma and DoNex—believed to be impersonating LockBit—have started incorporating these recruitment messages into their ransom notes.
A typical ransom note includes standard details about the company’s compromised state, data breaches, and backup destruction. However, deeper into the message, these groups introduce an unusual proposition:
"If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."
In another instance, the ransom note offers financial incentives:
"Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc."
The note then instructs interested individuals on how to install malicious software on their workplace systems, with communication facilitated via Tox messenger to maintain anonymity.
Kurtis Minder, CEO and founder of GroupSense, stated that while his team regularly examines ransom notes during incident response, the inclusion of these “pseudo advertisements” is a recent development.
"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," said Minder. "I don't know the right answer, but obviously these notes do get passed around." He further noted that cybercriminals often experiment with new tactics, and once one group adopts an approach, others tend to follow suit.
For anyone tempted to respond to these offers, Minder warns of the significant risks involved: "These folks have no accountability, so there's no guarantee you would get paid anything. You trying to capitalize on this is pretty risky from an outcome perspective."
GroupSense continues to analyze past ransomware communications for any early signs of this trend. Minder anticipates discovering more instances of these ads in upcoming investigations.
