How ransomware gangs use the tech media against their victims

Cyber criminals traditionally and understandably shied away from publicity, but over the past few years, ransomware gangs have inverted this longstanding trope and are now actively courting journalists as they seek to influence and control the flow of information about their activities, put pressure on victims to cooperate, and even attract new gang members and affiliates.

This is according to a whitepaper published by researchers at Sophos, who have been tracking several of the world’s most notorious cyber extortion operations as they try to seize on the opportunities that a good review in the right newspapers can offer them.

Christopher Budd, director of Sophos’ X-Ops team, told Computer Weekly he became interested in how cyber criminal gangs are abusing the information space during the September 2023 Las Vegas casino hacks, which he described at the time as “the Ocean’s 11 of the cyber age”.

“One of the things in watching that that occurred to me is that it’s apparent that at least some of these groups are looking to operate not just in the technical space, but in the information space as well,” said Budd.

Among other things, some crews have been observed providing journalists with lists of frequently asked questions (FAQs), publishing press releases, encouraging reporters to get in touch, offering in-depth interviews with trusted writers, and even recruiting English speakers to write for them. Others have hit out over what they perceive as inaccurate coverage, criticising reporters for not getting their facts right.

Budd said that such engagement offered both a tactical and strategic advantage, enabling gangs to proactively shape the narrative and apply pressure to their victims, while inflating their own notoriety and egos and contributing to their own vainglorious personal mythologies. But ultimately, he observed, the objective is simple, and that is to make sure they get paid.

“At this point in time, these groups are well-organised, they’re basically businesses. The goal is to make money, so what can they do to make money more efficiently and more effectively?” said Budd. “Legitimate businesses figured out long ago that there are tactics in the information space that help to raise their visibility, help raise brand awareness, and motivate people to engage with their product. And everything I said there you can apply to cyber criminals.”

One tactic that legitimate businesses also deploy when dealing with the media is to attempt to control narratives and storylines by correcting perceived factual inaccuracies, and ransomware gangs are enthusiastically adopting this ploy.

During the Las Vegas attacks, the threat actor behind the intrusions hit back at what they claimed was inaccurate coverage by some outlets by publishing a 1,300-word article explaining how they hacked the victim’s systems. In its technical scope, this feature-length piece rivalled anything produced by a legitimate threat research team.

“They provided, essentially, a research posting that in many ways mirrors the type of postings my team does and that other security companies do,” said Budd. “You have to respect the quality of the technical detail that they provided in that it was, by industry standards, a solid write-up.

“It does highlight how the kind of information sharing that we as an industry have been doing for years, that it’s the right thing to do because it tells people what’s happening and what they need to know. But in this case they [also] released that information as an exercise to show that they knew what they were talking about. It was a communications tactic done to show their credibility and to assert control over the narrative in the information space.”

For defenders, this raises new concerns, said Budd. Historically, incident responders have been doing a largely technical job, playing a cat-and-mouse game of move and counter move, but now this game is also playing out in the information sphere and security practitioners, not being public relations professionals, may find themselves ill-equipped to respond.

As such, he explained, victim organisations cannot necessarily now rely on being the sole source of truth about a cyber attack when their attacker is prepared to be open about what they did, and organisations can no longer get away with statements that say no data was compromised when their attackers can readily expose this as a falsehood.

“What this means in practical terms is if you’re a breached organisation, your ability to control the narrative is now much more complicated because if you say you weren’t breached, the attackers have shown a willingness to say no, in fact you were, and here’s the proof,” said Budd.

“Organisations, as part of their planning for incident response, need not only good technical responses, but they need good communications responses.”