On June 21, Cl0p ransomware was busy releasing information of companies that it claimed to breach using the MOVEit vulnerability.
Amidst the muscle-flexing and threatening, it found time to post an odd message: a rejoinder.
The gist of the long, detailed message in unclear syntax, complete with bullet points, was this: we refute a BBC report that said that the ransomware group was posting empty threats.
Curiously, the message did not explicitly say so!
In an email exchange with the BBC, the Cl0p ransomware group claimed that they did not possess the data and had informed the payroll provider Zellis, which was breached to gain access to the victims’ data.
Cl0p was offended at the prospects of the world knowing a long-used tactic: ransomware gangs posting empty threats.
Cl0p, MOVEit bugs, and ransomware gangs posting empty threats
Cl0p has been pressuring victims to pay a ransom by posting company profiles on its darknet website since June 14.
In the days that followed, Cl0p gradually added the names, websites, and addresses of nearly 50 victims from various countries, including the US, Germany, Switzerland, the UK, Canada, and Belgium.
The hack, initially announced by Progress Software, the makers of MOVEit, exposed vulnerabilities within the software that may have been exploited by different hackers.
As investigations continue, the US government has offered a $10 million reward for information linking the Cl0p gang or any other malicious cyber actors targeting critical infrastructure to a foreign government.
The situation is ongoing, and authorities, affected organizations, and cybersecurity experts are actively working to understand the extent of the breach and identify the responsible parties.
While some of the companies listed by Cl0p have confirmed separate data breaches, cybersecurity researchers warned that hundreds of organizations using the file transfer tool MOVEit have had their data stolen.
This included the BBC, British Airways, and Boots, who were customers of Zellis. However, the cybercriminals insist that they did not steal the Zellis data and claim to have informed the company accordingly.
Cybersecurity experts found Cl0p’s claims perplexing, adding to the complexity of the situation.
Some speculated that Cl0p may be concealing the fact that they sold the data to another hacking group, while others believe that another group may have accessed and stolen the data before Cl0p’s involvement.
The exact circumstances surrounding the data breach remain uncertain.
“I emailed Clop after wondering why they haven’t posted any of the big U.K. orgs which have had data stolen. ‘We don’t have that data’ they repeatedly claimed,” BBC reporter Joe Tidy tweeted.
“They also claim not to have sold it. A confusing picture but it raises other possibilities about this ongoing mass hack.”
The Cyber Express found that mounting fake threats as an extortion tactic is a common practice of threat actors.
Ransomware gangs posting empty threats: An established tactic
The Cyber Express contacted security analysts working across geographies. All of them have seen instances of ransomware gangs posting empty threats.
In fact, an entire gang of fake extortionists were found exploiting recent data breaches and ransomware incidents, posing as legitimate ransomware gangs to extort payment from U.S. companies.
These malicious actors, operating under the name “Midnight Group,” have been active since at least March 16, employing various tactics to coerce their victims.
Impersonating well-known ransomware and data extortion groups, the attackers have sent emails to targeted organizations, claiming responsibility for data breaches and the theft of substantial amounts of important information.
In one instance, an email was sent to an employee of a petroleum additives holding company, asserting affiliation with the Silent Ransom Group (SRG), also known as Luna Moth.
Interestingly, the same message used the name of another threat actor, the Surtr ransomware group, in the subject line, which first appeared in December 2021.
BleepingComputer discovered another email from the Midnight Group, where they professed to be the culprits behind a data breach, alleging the theft of 600GB of crucial data from servers.
Strikingly, this message was sent to a senior financial planner who had left the targeted company over six months prior.
In addition to data theft claims, some of these fake extortionists have threatened victims with distributed denial-of-service (DDoS) attacks if they fail to comply with the instructions provided in the messages.
Corporate investigation and risk consulting firm Kroll reported an increase in the number of such emails received under the Silent Ransom Group name since March 23.
The authors of these emails, who utilize the names of well-known cybercriminals, aim to intimidate and legitimize their threats.
According to Kroll, this method of scamming is cost-effective and easily conducted by low-skilled attackers.
Similar to wire fraud scams, these fake extortion attempts rely on social engineering tactics to pressure victims into paying before a given deadline.
Kroll predicts that this trend will continue indefinitely, as it generates revenue for cybercriminals.
Arete, an incident response company, has confirmed Kroll’s observations regarding the Midnight Group’s fraudulent emails.
Arete noted that the group primarily targets organizations that have previously fallen victim to ransomware attacks.
The initial attackers identified by Arete include QuantumLocker (now rebranded as DagonLocker), Black Basta, and Luna Moth.
At least 15 current and former clients of Arete have received fake threats from the Midnight Group, with the group supporting their claims of data theft using vague details.
It remains unclear how the victims are selected, but it is speculated that publicly available sources, such as leaked data from initial attackers, social media, news reports, or company disclosures, may play a role.
However, Arete also discovered instances where the fake attackers identified ransomware victims whose information was not publicly available, suggesting possible collaboration with the initial intruders.
This type of extortion scam is not new and was previously observed in 2019 by Coveware, a ransomware incident response company.
Coveware named it “Phantom Incident Extortion,” explaining that the threat actors use unique data about the targeted organization to lend credibility to their threats.
They also emphasize the potential costly consequences and demand a payment amount significantly lower than the damages that could arise from public exposure.
Both Coveware and Arete classify the Midnight Group’s threats as part of a fraud campaign. Attempts by Arete to engage with the group yielded no response or evidence of stolen data.
“Many organizations don’t realize they’re breached until the attackers disclose it to them,” Paul Bischoff, consumer privacy advocate at Comparitech, told The Cyber Express.
“So it’s not beyond the realm of possibility that an organization would believe a bogus threat and pay up under the assumption that the breach went unnoticed.”
Experts advise carefully analyzing such emails, recognizing the components of a phantom incident, confirming that the threat that you receive could be bogus.
The motivations behind ransomware gangs posting empty threats
Most ransomware resort to what is known as “double extortion,” where attackers not only encrypt the victim’s data but also steal them and threaten to release or sell it if the ransom is not paid.
On the other hand, cybersecurity researchers put ransomware gangs posting empty threats as downright fraud.
“Ransomware gangs that threaten leaks often post a sample of the stolen data to prove they do in fact have it,” Paul Bischoff, Consumer privacy advocate at Comparitech.
“In those cases I’d estimate almost all of them are legitimate. If they don’t post a sample, then I wouldn’t trust it.”
According to most of the researchers whom The Cyber Express interviewed for this report, the purpose of ransomware gangs posting empty threats is to increase the pressure on the victim to gains some quick money.
This strategy of ransomware gangs posting empty threats aims at exploiting the victim’s concerns about reputational damage, regulatory compliance violations, or the potential impact of data leaks.
Richard Caralli, Senior Cybersecurity Advisor at Axio, suggested another possibility.
“If attackers can get you to believe they have you, you’ll be willing to engage them which ironically might open the door to a real attack. It’s a ploy to get you to let them in,” he told The Cyber Express.
There are several possible motives behind ransomware gangs posting empty threats, even when they do not possess the victim’s data.
These motives can vary depending on the specific circumstances and goals of the attackers.
According to the cybersecurity researchers, these could be a few potential reasons behind ransomware gangs posting empty threats:
Psychological pressure: By claiming to have accessed and stolen sensitive data, attackers aim to create a sense of urgency, fear, and panic in the victim.
The psychological pressure may push the victim to pay the ransom quickly without questioning or verifying the validity of the claims.
Enhanced bargaining position: Empty threats can strengthen the bargaining position of the attackers during negotiations.
If victims believe their data is at risk, they may be more inclined to meet the ransom demands promptly and without negotiation.
The attackers may leverage the fear of potential data exposure to extract a higher ransom payment.
Reputation damage: The mere suggestion of a data breach or leak can erode public trust, impact customer confidence, and potentially harm the victim’s brand image, regardless of whether the claims are valid or not.
“Besides reaping the obvious financial rewards, making false claims about successful attacks hurts the reputation of the attacked organization,” told The Cyber Express
Deterrence and future leverage: By making empty threats, attackers can establish a reputation for being capable of data breaches and leaks, even if they have not actually executed them in a particular instance.
This reputation can serve as a deterrent to future targets and provide the attackers with a perceived advantage when attempting future extortion or negotiating with victims.
Disruption and distraction: Posting empty threats can also serve as a diversionary tactic.
It draws the victim’s attention to the data breach claim, potentially distracting them from other aspects of the attack, such as attempts to remove the ransomware or other malicious activities within the compromised network.
It’s important to note that these motives may not apply universally to all ransomware gangs, as different groups may have their own specific motivations and strategies, researchers pointed out.
Each attack should be assessed on a case-by-case basis, and victims should engage with cybersecurity experts to evaluate the credibility of the threats and determine the appropriate response.
How do organisations identify ransomware gangs posting empty threats?
“In my opinion, there are two clear signs of a bluff: repeated attempts and an increase in the ransom demand,” Axio’s Richard Caralli told The Cyber Express.
“Claims are most likely bogus when attackers make an attempt, threaten some retaliatory behavior, fail to retaliate, and then make another attempt.”
“The ransomware gang should be able to prove they’ve accessed your data by showing you a sample of it,” said Comparitech’s Bischoff.
According to Caralli, it’s another form of blackmail, where targeted individuals receive threat emails that claim to have pictures or videos of them.
If they don’t pay the ransom, they will release them to everyone in their contact list. Ransomware gangs often use this tactic with organizations as well to test their reaction to the attack, he said.
“If they offer no evidence of having something of value to you or your organization as an indication of their intent to proceed with an attack, it’s likely they are bluffing.
“Remember: their first inclination often is not to follow through with the threat; it’s to get you to pay them NOT to do it.”