news media

Chris Swagler | March 1st, 2024


Recently, ransomware groups have undergone a significant transformation in their approach to publicity and news media engagement. Traditionally discreet, these cybercriminals have now actively sought out journalists to influence narratives, apply pressure on victims, and even attract new members to their illicit operations. Researchers at a cybersecurity company have delved into this evolving phenomenon, shedding light on the intricate ways ransomware groups utilize the news media landscape.

One cybersecurity team was prompted to investigate the intersection of cybercriminal activities and the information space during the September 2023 Las Vegas casino breaches. The company noted a strategic shift wherein these criminal groups not only operate in the technical realm but also actively engage in shaping the narrative within the information space.

One key tactic ransomware groups employ is establishing a presence in the news media by providing journalists with FAQs, publishing press releases, offering interviews, and even recruiting English-speaking writers. This engagement serves a dual purpose: it allows the groups to shape the narrative while applying pressure to victims proactively, ultimately ensuring they receive the demanded ransom.

The significance of news media engagement extends beyond tactical advantages, as it contributes to the groups’ overall visibility, brand awareness, and the cultivation of a notorious image. Ransomware groups have adopted a communication strategy reminiscent of legitimate businesses, leveraging the information space to further their criminal objectives.

During the Las Vegas cyberattacks, a notable example was observed when the threat actor responded to perceived inaccuracies in media coverage by publishing a comprehensive article detailing the intrusion methods. This sophisticated communication tactic aimed to establish credibility, assert control over the narrative, and showcase technical prowess, mirroring legitimate threat research teams.

For cybersecurity practitioners and incident responders, the shift toward information space engagement poses new challenges. Beyond technical responses, organizations must now develop effective communication strategies to navigate the complexities of publicly addressing cyberattacks and counter the narratives presented by cybercriminals.

In the realm of journalism, the increased willingness of ransomware groups to engage with the media raises ethical and philosophical dilemmas. While an on-the-record interview with a cybercriminal may seem valuable, journalists must navigate the fine line between reporting in the public interest and inadvertently providing a platform for criminal enterprises.

To address these challenges, the cybersecurity team offers recommendations for those covering cybersecurity issues. Journalists are advised to refrain from engaging with threat actors unless it serves the public interest, provide information solely to aid defenders, avoid glorifying threat actors, and support fellow journalists targeted by attackers. Additionally, naming, or crediting threat actors should be done only when purely factual and in the public interest. The report highlights various ransomware groups, such as RansomHouse, Alphv/BlackCat, Karakurt, Vice Society, Snatch, and LockBit, showcasing their diverse approaches to media manipulation. Some have even established dedicated channels for public relations on platforms like Telegram.

As ransomware groups continue to evolve and professionalize, the report warns that they might eventually have dedicated PR teams, further blurring the lines between cybercrime and legitimate businesses. With an increased focus on managing the media, ransomware groups are becoming public figures, complicating matters for reporters covering their activities. The intersection of ransomware and media engagement reveals a complex landscape where cyber criminals strategically navigate information spaces to maximize their gains. Defenders, both technical and communicative, must adapt to this new reality to effectively counter the evolving threat posed by ransomware groups. At SpearTip, our advisory services are your solution to safeguard and counter complex cyber threats. Our team is equipped to address security issues, including ransomware, business email compromise, and insider threats. By identifying weak points in your system and addressing them, we continually work towards improving your security posture. Our Security Operations Center remains staffed 24/7/365, working in a continuous investigative cycle to respond to unwarranted intrusions at a moment’s notice. Within minutes of engagement, SpearTip can respond to the breach and reclaim networks within hours. Then, we deliver a detailed report for comprehensive understanding.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Frequently Asked Questions

How are ransomware groups specifically targeting victims through news media?

Ransomware groups are targeting victims through news media by leveraging the trust that people have in established news sources. These groups are creating fake news stories or advertisements that contain malicious links or attachments, which, when clicked, can lead to the installation of ransomware on the victim's device.

Are there any recommended measures or strategies that individuals or organizations can take to protect themselves from these targeted attacks?

There are several measures that individuals and organizations can take to protect themselves from ransomware attacks. These include regularly backing up important data, using strong and unique passwords, being cautious of suspicious emails or links, and ensuring that all software and systems are kept up-to-date with the latest security patches. It is also recommended to have a comprehensive incident response plan in place in case of a ransomware attack.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.