Ransomware Groups Gain Clout With False Attack Claims

The cybersecurity community is getting duped by fake breach claims from ransomware groups, experts say — and ransomware misinformation is a threat they predict will only grow in the coming months.

The cybersecurity community should know that cybercriminals aren't reliable narrators, but lately, all ransomware groups seem to need is a Dark Web post claiming to have breached an organization, plus a couple of key re-tweets, and presto ... a full blown cyber investigation has ensued; no matter whether any breach has actually occurred or not.

Two specific incidents from the last days of January highlight this growing trend among ransomware groups, according to ransomware expert and threat researcher Yelisey Bohuslavskiy with RedSense: alleged attacks on Technica and on Europcar.

"The other side is clearly fighting back — with both the FBI taking entire groups down and businesses putting proper defenses in," he says. "Ransomware operators now need to pick up a real fight, but their collectives were never meant for this, as, in their essence, these are petty criminals with no imagination or ingenuity, targeting networks that were left unprotected. Lies and hype are the only things they are left with."

No Credible Evidence of Technica Breach

On Jan. 30, headlines blared claims made by ransomware menace ALPHV (aka BlackCat) that it had been able to steal classified information from Technica Corp., IT specialists who serve various aspects of the US government, including the Navy and Air Force. As an example of the kinds of deeply sensitive data the company is handling, Technica is currently recruiting on LinkedIn for an open systems administrator position at Langley Air Force Base. Technica also provides IT support for the Federal Bureau of Investigation.

If Technica were indeed breached by ALPHV, the group could conceivably be in possession of top secret stuff, and could pose a serious US national security threat.

Based on the number of security clearances presumably necessary to work for defense contractor Technica, it's no surprise that the organization did not publicly comment on the ALPHV claims. Several requests for comment from Dark Reading went unanswered, for instance. But in the messaging void, ALPHV's Dark Web post (containing a threat to release US government secrets) infiltrated the news and gossip cycle with several tweets and headlines speculating on the potential fallout of such a Technica breach.

But there's is no credible evidence Technica was ever compromised beyond a few screen shots shared by ALPHV, according to Bohuslavsky, who tracks the group closely.

However, the group was able to claim a big win among competitive ransomware cybercrime circles, as well as a bit of revenge on the FBI.

In December, the FBI seized ALPHV's infrastructure and took down the ransomware operation's leak sites, hobbling the entire business. For the ransomware group to be seen as trading shots with law enforcement, with a compromise of the Feds' own IT vendor, it boosts their reputation among the cybercrime set, as well as would-be affiliates.

Europcar Wasn't Breached Either, Despite Claim

Car rental company Europcar likewise fell victim to false data breach claims by an anonymous person offering to sell the data of more than 48.6 million people in a hacking forum in the waning days of January.

Europcar flatly denied the ransomware breach and pointed out that the sample data shared in the Dark Web forum was clearly faked.

"After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net, and thoroughly checking the data contained in the sample, the company is confident that this advertisement is false,” the company said in a statement.

Thanks to new tools leveraging artificial intelligence and machine learning, it's easier than ever to falsify allegedly stolen data, leaving it up to humans to fact-check these ransomware group claims and stop them from spreading.

Ransomware in Decline, Groups Chasing Clout

False claims like these have always been part of the ransomware ecosystem, but there are a few factors making misinformation even more attractive for these groups these days, according to Bohuslavskiy.

As mentioned, the first is the overall success of cybersecurity defenses in making cybercrime harder, Bohuslavskiy explains. Another is clout chasing among cybercriminals. Bohuslavskiy says these ransomware operators are trying to catch a wave of fame similar to the one from 2019 that lifted what he calls "cybercrime bottom feeders" out of obscurity.

"And now, they are forced to go back to their outcast state again," he adds. "With their operations in decline, they can't keep their ego fed, and their hope that the money they make will help their social status is blown away."

Cybersecurity Pros Spreading Ransomware Fake News

Like most misinformation campaigns, false ransomware claims rely on others to spread them and be taken seriously. Bohuslavskiy urges the native English speaking cybercommunity to stop amplifying these messages; even the simple act of translating the lie into English makes it seem more believable, he warns.

"This is a classic post-truth tactic: claim something false and enjoy the hype," he explained. "Even if the claim is proven false by professionals, no one will see this."

Researchers at Dragos noted in their recent ransomware report that these groups are increasingly refining their media and public relations techniques, courting interviews with journalists and sending out press releases, as well as collaborating to share business tips.

Thus, enterprise cybersecurity teams need recognize and respond with the new ransomware misinformation communications strategy in mind.

"Fortunately for them (ransomware groups), the English-speaking cybersecurity community is bending backward to help them with it," Bohuslavskiy said.