Malicious mind games: why cybercriminals fake ransomware attacks

Reports of cybercriminals' mischiefs are greatly exaggerated. Infamous gangs like Lapsus$ and LockBit have been caught red-handed for faking massive cyberattacks. What's in it for them?

With an average ransomware attack costing a company $1.4 million in 2021, it’s not hard to see why cybercriminals are in this lucrative business. But profit is not always the end goal of hackers – which is why they occasionally fake their attacks.

Let’s have a look at three instances when famous ransomware gangs made the headlines by falsely claiming to have hacked major companies and learn what they got out of it.

Clop: how to become famous in one imaginary hack

Clop has emerged as a ransomware gang during the last couple of years, using multilevel extortion methods in their attacks and illegally obtaining around $500 million from the victims. However, they are still relatively new and small faces amongst ransomware groups, which makes PR stunts even more valuable to them.

Earlier this month, Clop stated that it had hacked one of the largest utility companies in the UK (serving over 15 million customers) known as Thames Water.

The Clop ransomware gang announced that they’ve spent “months” in the company’s systems, seeing “first hand evidence of very bad practice.” According to them, they managed to get access to PII, passports, driving licenses, credentials, and could potentially change the chemical composition of the company’s water supply.

“Clop is not political organization and we do not attack critical infrastructure or health organizations. We decide that we do not encrypt this company, but we show them that we have access to more of 5TB of data,” the group said in a statement.

The group went on to argue that they expected payment to pinpoint what exactly needed to be fixed but didn’t receive it because “they are not interested to fix.”

Thames Water went on to deny the claims by saying that they are not facing a cyberattack.

As it turned out, a different water provider was affected by Clop – South Staffordshire PLC (the parent company of South Staffs Water and Cambridge Water) with over a million customers. Based on the presented screenshots, it becomes quite clear that the affected users belong to South Staffordshire PLC, which makes it unlikely that the group had accidentally misidentified their target.

It remains unclear how such misidentification could have happened in the first place. We can only speculate that Clop decided to make use of a bigger name to bring attention to the hack and to the group itself.

Lapsus$: much ado about nothing?

Lapsus$ is a relatively well-known name in the cybersecurity industry. Between December 2021 and March 2022, the group managed to target over 15 firms in Latin America and Portugal, delete 50 terabytes of COVID-19 data stored on Brazil’s Ministry of Health servers, and go after tech giants like Samsung.

What makes them stand out is their different approach to malicious attacks.

“Unlike most activity groups that stay under the radar, DEV-0537 [Lapsus$] doesn’t seem to cover its tracks,” Microsoft noted.

Yet, run by a teenager living in the UK, the group often falls into the trap of fame-seeking, which causes them to exaggerate the effects of their campaigns.

Back in March, Okta, a San Francisco-based identity and access management company serving around 15,000 customers, announced that it was investigating a report of a breach.

The report suggested that threat actors gained access to a technical support engineer’s account and can now potentially put customers at risk. Screenshots emerged from a hacking group Lapsus$, which claimed responsibility for the hack. These screenshots indicated that the group can reset a user's password and might even have access to Okta's Slack workplace.

Worries flew high at the time. The breach did not only put the trust in Okta’s security in question but also caused concerns for its many customers, including other technology platforms.

As the events unfolded, it became apparent that Okta was already aware of the hack two months prior to the release of screenshots.

“In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.”

“We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta told Cybernews via email.

According to Okta, screenshots were taken from a computer used by Okta third-party customer Sitel’s support engineers, which Lapsus$ had access to over the period of five days. Lapsus$, on the other hand, wrongly claimed that they had access to the systems for two months and that screenshots reflected the contents of Okta’s internal system.

“Cybercriminal actors often conduct PR exercises in order to bolster their claims. For Lapsus$, this was highlighted by several of the group’s initial posts stating, ‘you have suffered from a ransomware attack,’ Senior Cyber Threat Intelligence Analyst at Digital Shadows Chris Morgan said.

As it turned out, only 366 (approximately 2.5%) of Okta’s customers were affected by the breach, which, apparently, lasted only 25 minutes. During that time, Lapsus$ did not manage to authenticate directly to any customer accounts or make configuration changes, according to Okta.

The case of Lapsus$ turned out to be a disinformation campaign more than anything else. By strategically releasing screenshots with intriguing captions, the group managed to gain much attention for what was initially advertised as “a disastrous breach.”

LockBit: fake it to send the message across

LockBit has been making the headlines since its launch in 2019 under the name “ABCD,” eventually becoming one of the most prolific ransomware groups in the cyber underworld. Thousands of attacks orchestrated by the gang hit multiple countries and numerous industries. But even LockBit did not shy away from faking some of their hacks.

Back in June, LockBit claimed to have hacked an American cybersecurity firm Mandiant, getting access to its internal systems and stealing 356,841 files to leak online.

Mandiant responded by saying that it is looking into the claims but has yet no evidence of them being true.

LockBit promised to release the files the same day. However, the eventually publicized data was not related to Mandiant and only contained a statement distancing the group from Evil Corp, a Russia-based ransomware group sanctioned by the US.

The statement related to Mandiant’s blog post published earlier that week, which linked LockBit to Evil Corp. LockBit argued that although they use some of the same tools, this fact alone cannot constitute evidence of their affiliations.

"Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI and so on," said LockBit's statement released in a supposed leak.

The whole thing turned out to be a carefully orchestrated PR stunt. But what was in it for LockBit?

Evil Corp has been on the US Department of Treasury's sanction list since 2019 for using Dridex malware to steal $100 million in 40 countries worldwide. Additionally, the US Department of State offers a $5 million bounty for information on Evil Corp's member Maksim Yakubets. In turn, LockBit is not under sanctions, although it’s definitely walking on shaky ground, with the FBI issuing warnings about it in February.

Hence, despite the fact that paying ransoms is not illegal in most countries, paying them to a group associated with Evil Corp could have put an end to the “grey legality” of LockBit’s operations.

More from Cybernews:

Public healthcare service in UK hit by ransomware

2 million patients impacted by a cyberattack on a healthcare organization

North Korean threat actors target health sector

Hospitals are a safe bet for prowling ransomware gangs

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked