The cybersecurity community is being misled by false breach reports from ransomware groups, experts say, and ransomware misinformation is a threat they say will only increase in the coming months.
The cybersecurity community should know that cybercriminals are not reliable storytellers, but lately, all ransomware groups seem to need is a post on the Dark Web claiming to have breached an organization, plus a couple of key re-tweet, and soon… a full in-depth cyber investigation followed; regardless of whether a violation actually occurred or not.
Two specific incidents from the last few days of January highlight this growing trend among ransomware groups, according to ransomware expert and threat researcher Yelisey Bohuslavskiy of RedSense: alleged attacks on Technica and Europcar.
“The other side is clearly fighting back: both the FBI taking out entire groups and the companies putting in place adequate defenses,” he says. “Ransomware operators now have a real fight to wage, but their collectives were never meant for this, as, at their essence, they are petty criminals with no imagination or ingenuity, targeting networks left unprotected. Lies and publicity are the only things he has left.”
No credible evidence of technical violation
On January 30, the headlines were buzzing with allegations of a ransomware threat ALPHV (aka BlackCat) that he had managed to steal classified information from Technica Corp., IT specialists who serve various aspects of the U.S. government, including the Navy and Air Force. As an example of the type of deeply sensitive data the company is dealing with, Technica is currently recruiting on LinkedIn for an open systems administrator position at Langley Air Force Base. Technica also provides IT support to the Federal Bureau of Investigation.
If Technica were indeed hacked by ALPHV, the group could be in possession of top secret material and could pose a serious threat to US national security.
Considering the number of security clearances supposedly required to work for defense contractor Technica, it is not surprising that the organization has not publicly commented on ALPHV’s claims. Several requests for comment from Dark Reading, for example, went unanswered. But in the messaging vacuum, ALPHV’s Dark Web post (containing a threat to disclose US government secrets) has infiltrated the news and gossip cycle with several tweet and newspaper headlines speculating on the potential fallout of such Technical violation.
But there is no credible evidence that Technica was ever compromised beyond a few screenshots shared by ALPHV, according to Bohuslavsky, who follows the group closely.
However, the group managed to score a major victory among competitive ransomware cybercrime circles, as well as a little revenge against the FBI.
In December, the The FBI seized ALPHV’s infrastructure and they blocked the ransomware operation’s leak sites, crippling the entire business. The fact that the ransomware group is seen as trading blows with law enforcement, with a compromise of the feds’ IT supplier, boosts their reputation among the cybercrime group, as well as would-be affiliates.
Europcar was also not hacked, despite the claims
Car rental company Europcar was also the victim of false accusations of a data breach by an anonymous person who offered to sell the data of more than 48.6 million people on a hacking forum in the final days of January.
Europcar has categorically denied the ransomware breach and pointed out that the sample data shared on the Dark Web forum was clearly falsified.
“After being informed by a threat intelligence service that an account is pretending to sell Europcar data on the dark web and carefully reviewing the data contained in the sample, the company is confident that this advertisement is false,” the company said in a note.
Thanks to new tools that leverage artificial intelligence and machine learning, it’s easier than ever to falsify supposedly stolen data, leaving humans to verify these ransomware groups’ claims and prevent them from spreading.
Ransomware in decline, groups hunting for influence
False claims like these have always been part of the ransomware ecosystem, but there are some factors that make misinformation even more attractive to these groups today, according to Bohuslavskiy.
As mentioned, the first is the overall success of cybersecurity defenses in making cybercrime more difficult, Bohuslavskiy explains. Another is the hunt for power among cybercriminals. Bohuslavskiy says these ransomware operators are trying to capture a similar wave of fame that of 2019 who has pulled what he calls “cybercrime bottom feeders” out of the darkness.
“And now they are forced to return to their marginalized state again,” he adds. “With their businesses in decline, they can’t feed their egos, and their hope that the money they earn will help their social status is dashed.”
Cybersecurity professionals spread fake news about ransomware
Like most misinformation campaigns, false ransomware allegations rely on others to spread them and be taken seriously. Bohuslavskiy urges the native English-speaking cyber community to stop amplifying these messages; even the simple act of translating the lie into English makes it seem more believable, he warns.
“This is a classic post-truth tactic: claim something false and enjoy the publicity,” he explained. “Even if the claim is proven false by professionals, no one will see it.”
Dragos researchers noted in their recent ransomware reporting that these groups are increasingly honing their media and public relations techniques, obtaining interviews with journalists and sending press releases, as well as collaborating to share business advice.
Therefore, enterprise cybersecurity teams must recognize and respond with the new communication strategy of ransomware disinformation in mind.
“Fortunately for them (the ransomware groups), the English-speaking cybersecurity community is stepping back to help them,” Bohuslavskiy said.