Ransom gangs are coming after… me


Should we be flattered? Ransomware gangs are increasingly adopting a charm offensive against journalists, soliciting our attention so they can control the narrative about their actions. Of course, we should be wary, cautions analyst Sophos.

The cybersecurity watchdog conducted an investigation of dark web cybercriminal forums and ransom gang leak sites to reveal apparent efforts by such groups to complement their regular hacking activities with publicity-focused life hacks.

“Far from shying away from the press, as so many threat actors did in the past, some ransomware gangs have been quick to seize the opportunities it affords them,” said Sophos, adding that digital extortionists have taken to writing FAQs for journalists visiting their leak sites, encouraging reporters to contact them, and offering in-depth interviews. Some are even said to have recruited writers directly.

“Media engagement provides ransomware gangs with both tactical and strategic advantages,” it added. “It allows them to apply pressure to their victims while also enabling them to shape the narrative, inflate their own notoriety and egos, and further ‘mythologize’ themselves.”

Interviews given to news-hungry reporters are thinly veiled attempts to justify threat actors’ crimes and, worse yet, recruit new members to their gangs, Sophos added. Beyond that, dedicated PR and other press-focused ‘departments’ are springing up within ransomware outfits.

“Some threat actors are increasingly professionalizing their approach to press and reputational management, publishing so-called ‘press releases,’ producing slick graphics and branding, and seeking to recruit English writers and speakers on criminal forums,” it said.

Write what we say!

And, of course, when journalists choose not to play ball, the threat actors quickly revert to type, turning nasty and censuring reporters who don’t portray them in a favorable light.

“Recently, we’ve seen several examples of ransomware actors disputing journalists’ coverage of attacks, and attempting to correct the record – sometimes throwing insults at specific reporters into the bargain,” said Sophos. “While this has implications for the wider threat landscape, it also has ramifications for individual targets.”

This is because, as well as having to worry about losses to revenue and reputation, organizations targeted by gangs are “now forced to watch” as they “scrap with the media in the public domain – with every incident fuelling more coverage and adding further pressure [to the victim].”

“Ransomware gangs are very conscious that the press considers their activities newsworthy, and will sometimes link to existing coverage of themselves on their leak sites,” said Sophos. “This reinforces their ‘credentials’ as a genuine threat for the benefit of visitors, including reporters and new victims – and, in some cases, is likely an ego trip as well.”

Flattery will get you everywhere…

Ransomware group Vice Society recently even posted a dedicated shoutout to one reporter on a blog it apparently started for just such a purpose, in which it thanked them for what it described as “one of our favorite articles” detailing its latest crime spree.

This journalist isn’t about to fall for the same trick, so said reporter can go unnamed in this article, as will the story referenced by the gang, but it’s indicative of a worrying trend in cybersecurity journalism.

Reporters’ natural urge to nail a good story is being exploited and manipulated by cunning criminals, who even offer exclusive scoops on leak sites and Telegram channels in what Sophos describes as a campaign to “actively solicit journalists.”

"Recently we've seen several examples of ransomware actors disputing journalists' coverage of attacks, and attempting to correct the record"

Cybersecurity analyst Sophos points out that charm offensives launched by ransom gangs targeting reporters can quickly go from charming to, well, offensive

“We highly respect the work of journalists and consider accessibility to be our priority,” said RansomHouse in a recent post, which offers a “special program” that “includes sharing information for a few hours or even days before it is officially published on our news website.”

Journalists prepared to go along with this Faustian pact are required to undergo a ‘know your customer” type due diligence examination – further evidence of cybercriminals increasingly aping the legitimate business world to boost their credibility (this naturally assumes one believes that big business is itself respectable, but that is a whole other area for debate.)

Other gangs on Sophos’ radar that have adopted a similar approach include Rhysider, Snatch, and 8Base, indicating that this appears not to be a flash in the pan but a trend that’s on the rise and here to stay.

Vice Society even pledges in its FAQs section to try to respond to journalist queries within 24 hours – a nod to the deadline-focused work of reporters. And Dunghill Leak even uses the media itself as leverage for its extortion of ransomware victims, threatening to share stolen data with unscrupulous reporters if their demands for payment are not met.

Well, this is awkward…

This blurring of the lines between my profession and the criminals I’m supposed to be reporting on is rather disconcerting, and forces me to ponder whether those juicy exclusives are always worth pursuing after all.

Sophos, at least, seems to understand my dilemma: “Many journalists will recognize the feeling of having qualms about the activities, ethics, and motivations of many public figures, while also knowing that reporting on those figures is in the public interest. And, like it or not, some ransomware actors are on their way to becoming public figures.”

But whether that’s true or not, the prospect of threat actors increasingly “managing the media” should sound an alarm bell for any responsible reporter.

“They are conscious that cultivating media relationships is useful for achieving their own objectives and refining their public image,” Sophos said.

And while many of the overtures being made by cybercriminals in this area are currently “crude and amateurish” and fall well short of the Machiavellian big business model they seek to emulate, expect the crooks to catch up fast.

“Initiatives such as dedicated PR Telegram channels, FAQs for journalists, and attempts to recruit journalists/writers may grow and evolve,” said Sophos. “And as with many aspects of ransomware – and the threat landscape in general – commodification and professionalization are on the rise. It’s not unfeasible that in the future, ransomware groups may have dedicated, full-time PR teams: copywriters, spokespeople, even image consultants.”

At least it’s nice to know that my future employment prospects as a writer are looking brighter than ever. Just kidding, of course…