On June 21, Cl0p ransomware made headlines again as it continued to release information of companies it claimed to have breached through the MOVEit vulnerability. But amidst its usual muscle-flexing and threats, Cl0p surprised everyone by posting a rejoinder. The message, written in unclear syntax with bullet points, refuted a BBC report that called the ransomware group’s threats empty. However, the message did not explicitly state that the threats were not empty.
Cl0p has been pressuring its victims to pay a ransom by posting company profiles on its darknet website since June 14. They have gradually added the names, websites, and addresses of nearly 50 victims from various countries, including the US, Germany, Switzerland, the UK, Canada, and Belgium. The initial hack was announced by Progress Software, the makers of MOVEit, as it exposed vulnerabilities within the software that may have been exploited by multiple hackers.
As investigations into the Cl0p gang continue, the US government has offered a $10 million reward for information linking the group or any other malicious cyber actors targeting critical infrastructure to a foreign government. The situation is ongoing, and authorities, affected organizations, and cybersecurity experts are actively working to understand the extent of the breach and identify those responsible.
While some companies listed by Cl0p have confirmed separate data breaches, cybersecurity researchers have warned that hundreds of organizations using the file transfer tool MOVEit may have had their data stolen. This includes major names like the BBC, British Airways, and Boots, who were customers of Zellis, the payroll provider that was breached to gain access to the victims’ data. However, Cl0p and its associates claim that they did not steal the Zellis data and have informed the company accordingly, which has left cybersecurity experts perplexed and added complexity to the situation.
The Cyber Express reached out to security analysts from around the world, all of whom have encountered instances of ransomware gangs posting empty threats. In fact, there is a whole gang of fake extortionists known as the “Midnight Group” that has been exploiting recent data breaches and ransomware incidents. This group poses as legitimate ransomware gangs to extort payment from US companies. They have sent emails claiming responsibility for data breaches and the theft of important information, often impersonating well-known ransomware and data extortion groups.
These fake extortionists also threaten victims with distributed denial-of-service (DDoS) attacks if they fail to comply with their demands. Corporate investigation and risk consulting firm Kroll has reported an increase in the number of such emails received. The authors of these emails aim to intimidate and legitimize their threats by using the names of well-known cybercriminals. This method of scamming is cost-effective and easily conducted by low-skilled attackers, generating revenue for cybercriminals.
The Midnight Group primarily targets organizations that have previously fallen victim to ransomware attacks. They use unique data about the targeted organizations to lend credibility to their threats. Both incident response companies, Arete and Coveware, have classified the Midnight Group’s threats as part of a fraud campaign. Instances have been observed where the fake attackers identified ransomware victims whose information was not publicly available, suggesting collaboration with the initial intruders.
Ransomware gangs posting empty threats is a strategy aimed at increasing pressure on victims to pay up quickly. The purpose behind this tactic is to exploit victims’ concerns about reputational damage, regulatory compliance violations, or the potential impact of data leaks. In some cases, it’s a ploy to get victims to engage with the attackers, opening the door to a potential real attack.
The motivations behind these empty threats can vary, depending on the specific circumstances and goals of the attackers. However, cybersecurity experts advise carefully analyzing such emails and recognizing the components of a phantom incident. If attackers don’t provide proof of stolen data, it is best not to trust their claims.