Groove Ransomware Gang Tries New Tactic to Attract Affiliates

In the seemingly never-ending lineup of new entrants to the ransomware space is "Groove," a criminal outfit that a trio of security vendors this week described as bringing a new approach to profiting from compromised networks.

In one of its first acts, the threat group publicly leaked for free a set of nearly 500,000 user names and credentials associated with some 87,000 Fortinet FortiGate SSL-VPN devices. Researchers from McAfee, one of the three vendors that reported on the new operation — the other two are Coveware and Intel417 — described the act as likely designed to attract the attention of other cybercriminals to the new Groove operation.

"We believe that Groove has done this to empower other threat actors and aspiring cybercriminals to step into the scene," says John Fokker, principal engineer and head of cyber investigations for the McAfee Enterprise Advanced Threat Research team. "The VPN credentials can offer an easy way into a network. By disclosing this data freely, it can allow any threat actor — skilled or nonskilled — a way into a corporate network."

The SSL VPN credentials had apparently been previously obtained from FortiGate systems that were unpatched against a system file leak vulnerability (CVE-2018-13379), for which Fortinet had issued a patch in May 2019. It remains unclear whether many of the leaked VPN credentials might still work.

"While [the vulnerable devices] may have since been patched, if the passwords were not reset, they remain vulnerable," Fortinet warned in an advisory this week. Even if organizations have upgraded their devices since the vulnerability was disclosed, they still need to have reset user passwords after the upgrade or they likely remain vulnerable to compromise via the previously exposed VPN credentials, Fortinet said.

The Fortinet VPN credentials were leaked via a new underground forum called RAMP that appears to have been created by the former administrator of the Babuk ransomware operation. The forum seems designed to give ransomware-as-a-service (RaaS) operators an underground platform for advertising and selling their malware to other criminal affiliate groups. Some of the bigger forums that previously used to allow this activity had banned it after the massive ransomware attack on Colonial Pipeline in May. This attack generated widespread concern — from the White House down — and prompted several underground forums to distance themselves from ransomware activity while the heat cooled down.

New Forum
After popular cybercrime forums banned ransomware actors from advertising following the Colonial Pipeline attack, they no longer had a platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes, Fokker says. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and harder for RaaS developers to maintain their current top-tier position in the underground, he notes.

With RAMP, the operators of Groove are attempting to give ransomware operators a forum for once again plying their trade within the criminal underground. "Groove has jumped into that gap and created RAMP," Fokker notes.

Unlike other RaaS operators, however, Groove's approach appears to be that ransomware is just one of several ways to profit from a compromised network. The group seems to be willing to work with ransomware operators as well as other criminal groups that can help it collaboratively profit from a compromised network in any way.

"Groove is challenging the conventional RaaS hierarchy by positioning themselves as a self-reliant cybercrime group, essentially changing the power balance from he who controls the ransomware to he who controls the victim's networks," Fokker says. "Ransomware being one option for collaboration, data extortion being another."

Groove's primary message is that they are an aggressively financially motivated organization with previous experience in industrial espionage and where ransomware is no more than an additional source of income for them. "We don’t care who we work with and how. You’ve got money — we're in," Fokker says.