Fake extortionists are piggybacking on information breaches and ransomware incidents, threatening U.S. corporations with publishing or promoting allegedly stolen information except they receives a commission.
Sometimes the actors add the menace of a distributed denial-of-service (DDoS) assault if the message recipient doesn’t adjust to the directions within the message.
Bad actors
The attackers behind this exercise use the title Midnight and began concentrating on corporations within the U.S. since at the least March 16.
They have additionally impersonated some ransomware and information extortion gangs in emails and claimed to be the authors of the intrusion, stealing a whole lot of gigabytes of vital information.
In one electronic mail to the worker of a holding firm within the business of petroleum components, the menace actor claimed to be the Silent Ransom Group (SRG) – a splinter of the Conti syndicate centered on stealing information and extorting the sufferer, often known as Luna Moth.
The identical message, nonetheless, used within the topic line the title of one other menace actor, the Surtr ransomware group, first seen to encrypt firm networks in December 2021.
BleepingComputer discovered one other electronic mail from Midnight Group, professing that they had been the authors of the info breach and that they stole 600GB of “essential data” from the servers.
The messages had been despatched to the handle of a senior monetary planner that had left the goal firm greater than half a 12 months earlier than.
Pending DDoS menace
A report in late March from the managed detection and response division on the Kroll company investigation and threat consulting agency notes that some senders of comparable emails additionally threatened with DDoS assaults.
Kroll investigators say that beginning March 23 organizations began submitting an elevated variety of experiences for emails obtained below the Silent Ransom Group title.
It’s “a new wave of fake extorsion attempts,” Kroll responders say within the report, including that the authors use the names of better-known cybercriminals in an try and intimidate and provides legitimacy to the menace.
“This method is cheap and easily conducted by low-skilled attackers. Much like 419 wirefraud scams, the scam relies on social engineering to extort victims by placing pressure on the victim to pay before a deadline. We expect this trend to continue indefinitely due to its cost effectiveness and ability to continue to generate revenue for cybercriminals” – Kroll
Kroll has seen such incidents since 2021, though such exercise began in early November 2019, when non-paying victims additionally skilled DDoS assaults.
Nevertheless, the assaults had been low-level DDoS and got here with the specter of bigger ones except the extortionists obtained paid.
Such incidents echo the exercise of an extortion group that in 2017 despatched DDoS threats to 1000’s of corporations below the names of notorious hacker teams on the time (e.g. New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous).
Targeting ransomware assault victims
Another report from incident response firm Arete confirms Kroll’s observations about Midnight Group’s fraudulent emails impersonating Surtr and SRG and the bigger variety of messages delivered within the weeks earlier than March 24.
Based on their visibility, although, the incident responders noticed that Midnight focused organizations that had beforehand been victims of a ransomware assault.
According to Arete’s analysts, among the many preliminary attackers are QuantumLocker (presently rebranded as DagonLocker), Black Basta, and Luna Moth.
Arete says that at the least 15 of their present and former purchasers obtained faux threats from the Midnight Group, which supported their information theft claims with obscure particulars.
It is unclear how victims are chosen however one risk is from publicly obtainable sources, such because the preliminary attacker’s information leak web site, social media, information experiences, or firm disclosures.
However, Arete notes that the faux attacker recognized some ransomware victims even when the information was not publicly obtainable, presumably indicating collaboration with the preliminary intruders.
Ransomware actors usually promote the info they steal from victims even once they receives a commission. If Midnight Group has entry to the markets and boards the place this information is traded or bought they may study ransomware victims which have but to reveal the cyberattack.
Empty threats since 2019
Midnight Group’s extortion rip-off just isn’t new. The tactic has been noticed in 2019 by ransomware incident response firm Coveware who calls it Phantom Incident Extortion.
Coveware explains that the menace actor tries to present credibility to the menace through the use of information that’s distinctive to the recipient goal, provides the stress of a expensive consequence, and calls for cost that’s far lower than the injury of public publicity.
All these three parts are the mainstays of a phantom incident extortion (PIE) and a transparent indication of an empty menace.
Coveware initially supplied 4 examples of PIE scams and up to date the report solely lately with a pattern electronic mail from the Midnight Group.
All three corporations assess that Midnight Group’s threats are a part of a fraud marketing campaign. Arete’s try to have interaction with the actor resulted in no response or proof of stolen information from the actor.
The suggestion is to rigorously analyze such emails to acknowledge the parts of a phantom incident extortion message and dismiss them as an empty menace.