Fake extortionists are piggybacking on knowledge breaches and ransomware incidents, threatening U.S. corporations with publishing or promoting allegedly stolen knowledge until they receives a commission.
Sometimes the actors add the menace of a distributed denial-of-service (DDoS) assault if the message recipient doesn’t adjust to the directions within the message.
Bad actors
The attackers behind this exercise use the identify Midnight and began focusing on corporations within the U.S. since at the least March 16.
They have additionally impersonated some ransomware and knowledge extortion gangs in emails and claimed to be the authors of the intrusion, stealing a whole bunch of gigabytes of necessary knowledge.
In one electronic mail to the worker of a holding firm within the business of petroleum components, the risk actor claimed to be the Silent Ransom Group (SRG) – a splinter of the Conti syndicate targeted on stealing knowledge and extorting the sufferer, often known as Luna Moth.
The identical message, nevertheless, used within the topic line the identify of one other risk actor, the Surtr ransomware group, first seen to encrypt firm networks in December 2021.
supply: BleepingComputer
BleepingComputer discovered one other electronic mail from Midnight Group, professing that they had been the authors of the information breach and that they stole 600GB of “essential data” from the servers.
The messages had been despatched to the deal with of a senior monetary planner that had left the goal firm greater than half a 12 months earlier than.
supply: BleepingComputer
Pending DDoS risk
A report in late March from the managed detection and response division on the Kroll company investigation and danger consulting agency notes that some senders of comparable emails additionally threatened with DDoS assaults.
Kroll investigators say that beginning March 23 organizations began submitting an elevated variety of stories for emails acquired below the Silent Ransom Group identify.
It’s “a new wave of fake extorsion attempts,” Kroll responders say within the report, including that the authors use the names of better-known cybercriminals in an try to intimidate and provides legitimacy to the risk.
“This method is cheap and easily conducted by low-skilled attackers. Much like 419 wirefraud scams, the scam relies on social engineering to extort victims by placing pressure on the victim to pay before a deadline. We expect this trend to continue indefinitely due to its cost effectiveness and ability to continue to generate revenue for cybercriminals” – Kroll
Kroll has seen such incidents since 2021, though such exercise began in early November 2019, when non-paying victims additionally skilled DDoS assaults.
Nevertheless, the assaults had been low-level DDoS and got here with the specter of bigger ones until the extortionists obtained paid.
Such incidents echo the exercise of an extortion group that in 2017 despatched DDoS threats to hundreds of corporations below the names of notorious hacker teams on the time (e.g. New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous).
Targeting ransomware assault victims
Another report from incident response firm Arete confirms Kroll’s observations about Midnight Group’s fraudulent emails impersonating Surtr and SRG and the bigger variety of messages delivered within the weeks earlier than March 24.
Based on their visibility, although, the incident responders noticed that Midnight focused organizations that had beforehand been victims of a ransomware assault.
According to Arete’s analysts, among the many preliminary attackers are QuantumLocker (at present rebranded as DagonLocker), Black Basta, and Luna Moth.
Arete says that at the least 15 of their present and former purchasers acquired pretend threats from the Midnight Group, which supported their knowledge theft claims with obscure particulars.
It is unclear how victims are chosen however one chance is from publicly out there sources, such because the preliminary attacker’s knowledge leak web site, social media, information stories, or firm disclosures.
However, Arete notes that the pretend attacker recognized some ransomware victims even when the data was not publicly out there, probably indicating collaboration with the preliminary intruders.
Ransomware actors typically promote the information they steal from victims even once they receives a commission. If Midnight Group has entry to the markets and boards the place this knowledge is traded or offered they may study ransomware victims which have but to reveal the cyberattack.
Empty threats since 2019
Midnight Group’s extortion rip-off shouldn’t be new. The tactic has been noticed in 2019 by ransomware incident response firm Coveware who calls it Phantom Incident Extortion.
Coveware explains that the risk actor tries to present credibility to the risk by utilizing knowledge that’s distinctive to the recipient goal, provides the stress of a expensive end result, and calls for fee that’s far lower than the harm of public publicity.
All these three elements are the mainstays of a phantom incident extortion (PIE) and a transparent indication of an empty risk.
Coveware initially offered 4 examples of PIE scams and up to date the report solely not too long ago with a pattern electronic mail from the Midnight Group.
All three corporations assess that Midnight Group’s threats are a part of a fraud marketing campaign. Arete’s try to interact with the actor resulted in no response or proof of stolen knowledge from the actor.
The suggestion is to fastidiously analyze such emails to acknowledge the elements of a phantom incident extortion message and dismiss them as an empty risk.