Ransomware actors have been observed using a new tactic in their ransom notes: posting advertisements to seek insider information. This revelation was made by researchers at the GroupSense threat intelligence team, who shared their findings with Dark Reading. The screenshots provided by the researchers showcased the strategies that these cybercriminal gangs, including Sarcoma and a group believed to be impersonating LockBit ransomware known as DoNex, are employing.
One such ransom note contained the customary details indicating the dire situation of the targeted company, the destruction of backups, and export of databases. However, a unique twist was added further down in the message – a call for insider information. The note stated, “If you help us find this company’s dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us.”
In another ransom note, the threat actors enticed potential collaborators with promises of vast financial gain. The message read, “Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc.”
Furthermore, the threat actors provided instructions on how interested parties could initiate communication and launch viruses on their work computers. The communication channel was through the Tox messenger, ensuring the users’ privacy is “guaranteed.”
Kurtis Minder, the CEO and founder of GroupSense, expressed surprise at this new development, noting that while the company regularly encounters ransom notes during incident response, it was only recently that the team noticed these “pseudo advertisements” at the bottom of the notes.
“I’ve been asking my team and kind of speculating as to why this would be a good place to put an advertisement,” Minder commented. “I don’t know the right answer, but obviously these notes do get passed around.” He suggested that these cybercriminals might have a casual attitude towards incorporating such ads into their ransom notes, with one group starting a new tactic prompting others to follow suit.
However, Minder cautioned individuals against entertaining offers from cybercriminals, emphasizing the high risks involved. “These folks have no accountability, so there’s no guarantee you would get paid anything,” he warned. Attempting to capitalize on such offers could have unfavorable outcomes.
GroupSense is currently reviewing past ransom notes to identify any earlier instances of this trend, with Minder anticipating the discovery of more advertisements in addition to those already found.
The rise of these new tactics in ransom notes comes amidst a surge in ransomware activity, with cyber attackers generating substantial profits despite increased law enforcement actions taken over the past year. The cybersecurity landscape continues to evolve, presenting new challenges for organizations and individuals to navigate the growing threats posed by malicious actors in the digital realm.