Ransomware Groups Using News Media To Target Their Victims

Recently, ransomware groups have undergone a significant transformation in their approach to publicity and news media engagement. Traditionally discreet, these cybercriminals have now actively sought out journalists to influence narratives, apply pressure on victims, and even attract new members to their illicit operations. Researchers at a cybersecurity company have delved into this evolving phenomenon, shedding light on the intricate ways ransomware groups utilize the news media landscape.

One cybersecurity team was prompted to investigate the intersection of cybercriminal activities and the information space during the September 2023 Las Vegas casino breaches. The company noted a strategic shift wherein these criminal groups not only operate in the technical realm but also actively engage in shaping the narrative within the information space.

One key tactic ransomware groups employ is establishing a presence in the news media by providing journalists with FAQs, publishing press releases, offering interviews, and even recruiting English-speaking writers. This engagement serves a dual purpose: it allows the groups to shape the narrative while applying pressure to victims proactively, ultimately ensuring they receive the demanded ransom.

The significance of news media engagement extends beyond tactical advantages, as it contributes to the groups’ overall visibility, brand awareness, and the cultivation of a notorious image. Ransomware groups have adopted a communication strategy reminiscent of legitimate businesses, leveraging the information space to further their criminal objectives.

During the Las Vegas cyberattacks, a notable example was observed when the threat actor responded to perceived inaccuracies in media coverage by publishing a comprehensive article detailing the intrusion methods. This sophisticated communication tactic aimed to establish credibility, assert control over the narrative, and showcase technical prowess, mirroring legitimate threat research teams.

For cybersecurity practitioners and incident responders, the shift toward information space engagement poses new challenges. Beyond technical responses, organizations must now develop effective communication strategies to navigate the complexities of publicly addressing cyberattacks and counter the narratives presented by cybercriminals.

In the realm of journalism, the increased willingness of ransomware groups to engage with the media raises ethical and philosophical dilemmas. While an on-the-record interview with a cybercriminal may seem valuable, journalists must navigate the fine line between reporting in the public interest and inadvertently providing a platform for criminal enterprises.

To address these challenges, the cybersecurity team offers recommendations for those covering cybersecurity issues. Journalists are advised to refrain from engaging with threat actors unless it serves the public interest, provide information solely to aid defenders, avoid glorifying threat actors, and support fellow journalists targeted by attackers. Additionally, naming, or crediting threat actors should be done only when purely factual and in the public interest. The report highlights various ransomware groups, such as RansomHouse, Alphv/BlackCat, Karakurt, Vice Society, Snatch, and LockBit, showcasing their diverse approaches to media manipulation. Some have even established dedicated channels for public relations on platforms like Telegram.

As ransomware groups continue to evolve and professionalize, the report warns that they might eventually have dedicated PR teams, further blurring the lines between cybercrime and legitimate businesses. With an increased focus on managing the media, ransomware groups are becoming public figures, complicating matters for reporters covering their activities. The intersection of ransomware and media engagement reveals a complex landscape where cyber criminals strategically navigate information spaces to maximize their gains. Defenders, both technical and communicative, must adapt to this new reality to effectively counter the evolving threat posed by ransomware groups. At SpearTip, our advisory services are your solution to safeguard and counter complex cyber threats. Our team is equipped to address security issues, including ransomware, business email compromise, and insider threats. By identifying weak points in your system and addressing them, we continually work towards improving your security posture. Our Security Operations Center remains staffed 24/7/365, working in a continuous investigative cycle to respond to unwarranted intrusions at a moment’s notice. Within minutes of engagement, SpearTip can respond to the breach and reclaim networks within hours. Then, we deliver a detailed report for comprehensive understanding.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.