Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Black Cat ransomware group. Show all posts

Ransomware Groups are Using PR Charm Tactic to Put Pressure on Victims to Pay Ransom


Recently, ransomware groups have been increasingly adopting newer tactics, one of them being the transparent, quasi-corporate strategy with the media, with the benefits of building pressure on the victims to pay ransom. 

According to a report, released this week by Sophos X-Ops, ransomware groups like Royal, the Play and RansomHouse were seen engaging with journalists. This partnership is dubious, however advantageous to both the parties: hackers expose their victims or, in some high-profile cases, amend the record, while reporters receive scoops directly from primary (but untrustworthy) sources.

According to Christopher Budd, director of threat intelligence for Sophos X-Ops, "This shows that they're true hackers[…]Now they're trying to hack the information sphere, as well as the technical sphere."

Cybercriminals in Corporate Clothing

These days, ransomware organizations provide channels for direct connection that are not limited to victims. In addition to the typical "Contact Us" forms and PR-focused Telegram channels, useful resources and FAQs are available to support them.

The ultimate idea is: that by broadcasting their deeds in the news, these threat actors put public pressure on the victims, further pressurizing their suppliers, customers, etc. 

The threat actors often imply this idea in ransom notes. For example, Sophos recently analyzed a ransom note published by the Royal ransomware group, stating how "anyone on the internet from darknet criminals ... journalists ... and even your employees will be able to see your internal documentation" if the ransom deadline was not achieved. 

Attackers Playing Analysts

However, not all ransomware groups are joining hands with the media with the same humour. Groups like Clop ransomware and LockBit interacted more antagonistically with the outside world.

And while it appears petty or posturing at times, these conflicts are occasionally handled professionally.

For instance, in response to initial reports containing purportedly incorrect information about the MGM attack, ALPHV published a 1,300-word statement. 

Budd says, "In trying to assert their authority and take their claim, they actually published what amounts to threat research — the type of stuff that security companies do. And they provided some fairly objective, detailed technical explanation about the actions they had taken."

He notes that the ALPHV statement felt like something a security firm would publish. He observed that ransomware groups are “consciously adopting some of the principles” that security companies use daily.