A number of publications in September cautioned against the emergence of “GrooveA new ransomware group that has called on competing extortion gangs to unite to attack US government interests online. Now it looks like Groove was just a big hoax designed to mess with security companies and journalists.
Groove was first announced on August 22 on RAMP, a new and fairly exclusive darknet cybercrime forum in Russian.
“GROOVE is first and foremost an aggressive financially motivated criminal organization that has been dealing with industrial espionage for about two years,” wrote the administrator of RAMP “Orange” in a post asking forum members to enter a contest for designing a website for the new group. “Let’s be clear that we don’t do anything for no reason, so at the end of the day we are the ones who will benefit the most from this competition. “
According to a report published by Mcafee, Orange launched RAMP to appeal to ransomware threat actors who have been kicked out of major cybercrime forums for being too toxic, or cybercriminals who have complained that they have been cheated or completely stiffened by various cybercrime programs. ransomware affiliation.
The report said RAMP was the product of a dispute between members of the Babouk ransomware gang, and that its members were likely related to another ransomware group called BlackMatter.
“[McAfee] believes, with great confidence, that the Groove gang is a former affiliate or sub-group of the Babuk gang, who are willing to collaborate with other parties, as long as there is financial gain for them, ”the report states . “So an affiliation with the BlackMatter gang is likely.”
During the first week of September, Groove posted on its darknet blog nearly 500,000 login credentials for customers of Fortinet VPN products, usernames and passwords that could be used to remotely log into vulnerable systems. Fortinet said the credentials were collected from systems that had not yet implemented a patch released in May 2019.
Some security experts have said that the purpose of posting Fortinet VPN usernames and passwords is to attract new affiliates to Groove. But it seems more likely that the credentials were released to gain the attention of security researchers and journalists.
Over the past week, Groove’s darknet blog has disappeared. In an article on the Russian Cybercrime Forum XSS, an established cyber crook using the handle “Boriselcine”Explained that Groove was little more than a favorite project to aim for with the media and security industry.
“For those who don’t understand what’s going on: I created a fake Groove Gang and named myself gang,” Boriselcin wrote. The rest of the post says:
“They ate it, I threw an old Fortinet of 500,000 [access credentials] that no one needed and they ate it. I say I’m going to target the US government sector and they eat it. Few journalists realized that this was all just a show, a fake and a scam! And my respect goes to those who understood it. I don’t even know what to do now with this blog with a ton of traffic. Maybe sell it? Now i just need to start writing [the article], but I can’t start writing it without checking everything.
A review of Boriselcin’s recent publications on XSS indicates that he has been planning this program for several months. On September 13, Boriselcin posted that “several topics are maturing” and that he intended to publish an article on the deception of the media and security companies.
“Manipulation of large media and information security companies via ransom blog,” he wrote. “It’s so funny to read Twitter and the news these days 🙂 But the result is great so far. Triggering executives of information security companies. We screw up the supply chain from the office of information security.
Throughout its short existence, Groove listed only a handful of victims on its Shame for Darknet Victims blog, leading some to conclude that the group was not much of a threat.
“I wouldn’t take this call too seriously” tweeted Recordings Catalin Cimpanu in response to tweets about Groove’s rallying cry to attack US government interests. “Groove are low level players with little skill.”
Normally, when a cybercrime forum or business turns out to be a bogus or a scam, we learn that it was all an undercover operation by federal investigators in the United States and / or other countries. Maybe the main reason we don’t see more scams like the one from Boricelcin is that there isn’t really any money in it.
But that doesn’t mean his cynical ploy fails to achieve a larger goal. Over the past few years, we’ve seen several ransomware gangs reinvent themselves and change their names to evade prosecution or economic sanctions. From this perspective, anything that confuses and diverts the media and security industry’s time and attention from real threats is a definite plus for the cybercriminal community.
Tom hoffmann, senior vice president of intelligence at Flashpoint, said mocking Western media and journalists is a constant part of the conversation on leading cybercrime forums. “
“It is clear that criminal actors read all press releases and statements from Twitter about them,” Hoffman said. “We know some of them just want to hurt the West, so this type of trolling is likely to continue. With the high level of attention this one has received, I guess we’ll see more imitators soon. “