{"id":21668,"date":"2023-04-05T16:10:03","date_gmt":"2023-04-06T00:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/04\/05\/news-15399\/"},"modified":"2023-04-05T16:10:03","modified_gmt":"2023-04-06T00:10:03","slug":"news-15399","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/05\/news-15399\/","title":{"rendered":"Fake ransomware demands payment without actually encrypting files"},"content":{"rendered":"<p>Fake it till you make it ransomware groups are <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-ransomware-gang-targets-us-orgs-with-empty-data-leak-threats\/\" target=\"_blank\">trying to get rich off the backs of genuine ransomware authors<\/a>. Why are they &ldquo;fake it till you make it&rdquo;? Because they don&rsquo;t actually create ransomware or compromise networks in any way. They&rsquo;re simply lying through their teeth and hoping that recipients of their messages don&rsquo;t realise until it&rsquo;s too late.<\/p>\n<p>As reported by Bleeping Computer, a group named Midnight has been using this tactic since at least March 16, and the organisations affected all seem to be located in the US.&nbsp;<\/p>\n<h2>The battle plan of a fake ransomware group<\/h2>\n<p>The general approach is as follows:<\/p>\n<ul>\n<li><strong>Claim to be a different, genuine ransomware group<\/strong>. If the scammers claim to be some sort of obscure (but known) affiliate or spin-off, so much the better. The target will confirm the group exists with a quick Google search, but won&rsquo;t be able to do much more beyond that.<\/li>\n<li><strong>Use a panic inducing email subject<\/strong>. &ldquo;Notifying you about your business&rsquo;s security case, we accessed your information&rdquo; is one example given.<\/li>\n<li><strong>The bigger the theft claim, the better<\/strong>. They talk of accessing HR records, employee records, personal and medical data.&nbsp;In one &#8220;attack&#8221; 600GB of data was supposedly taken from business servers.<\/li>\n<li><strong>Targeting genuine victims by accident or design<\/strong>. Some businesses targeted by the fakers had indeed suffered a ransomware attack of some kind previously. Either the scare tactic mails are being blasted out to a large audience to see what comes back, or there is some deliberate targeting of organisations going on.<\/li>\n<\/ul>\n<h2>Nothing new, but potentially disastrous all the same<\/h2>\n<p>Fake mails are nothing new. 18 years of one 419 mail is <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/10\/an-18-year-scam-odyssey-of-stranded-astronauts\">as good an example as any<\/a>.&nbsp;Send enough emails out&nbsp;and&nbsp;somewhere will fall for it eventually. The bogus ransomware extortion attempt even has a name, in the form of &ldquo;<a href=\"https:\/\/www.coveware.com\/blog\/2019\/11\/19\/phantom-incident-extortion-scam-threatens-release-of-corporate-pii\" target=\"_blank\">Phantom Incident Scam<\/a>&rdquo;.<\/p>\n<p>Even so, this is an area of attack where having a good response strategy for people hoping you&rsquo;ll fall for a technology based lie is very effective. If your incident response consists of opening up one of these missives, panicking, and racing to pay fraudsters, it could end up being a very costly and needless mistake. Whether you&rsquo;re aware of your organisation having had a genuine breach or not, someone on a chart as a point of contact for such an eventuality will come in very handy indeed.<\/p>\n<h2>How to avoid ransomware<\/h2>\n<ul>\n<li><strong>Block common forms of entry<\/strong>. Create a plan for <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">patching vulnerabilities<\/a> in internet-facing systems quickly; disable or <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/03\/blunting-rdp-brute-force-attacks-with-rate-limiting\">harden remote access<\/a> like RDP and VPNs; use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">endpoint security software<\/a> that can detect exploits and malware used to deliver ransomware.<\/li>\n<li><strong>Detect intrusions<\/strong>. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">EDR<\/a> or <a href=\"https:\/\/www.malwarebytes.com\/business\/managed-detection-and-response\">MDR<\/a> to detect unusual activity before an attack occurs.<\/li>\n<li><strong>Stop malicious encryption<\/strong>. Deploy Endpoint Detection and Response software like <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">Malwarebytes EDR<\/a> that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.<\/li>\n<li><strong>Create offsite, offline backups<\/strong>. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.<\/li>\n<li><strong>Don&rsquo;t get attacked twice.<\/strong> Once you&#8217;ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.<\/li>\n<\/ul>\n<hr \/>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes removes all remnants of ransomware and&nbsp;prevents&nbsp;you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><span class=\"blue-cta-bttn\" style=\"background-color: #0d3ecc; line-height: 50px; padding: 0 20px;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\">TRY NOW<\/a><\/span><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/fake-ransomware-demands-payment-without-actually-encrypting-files\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: ransomware<\/p>\n<p>Tags:  fake<\/p>\n<p>Tags:  faker<\/p>\n<p>Tags:  fraud<\/p>\n<p>Tags:  scam<\/p>\n<p>Tags:  bogus<\/p>\n<p>Tags:  midnight<\/p>\n<p>We take a look at a ransomware group that doesn&#8217;t produce any ransomware, only threats.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/fake-ransomware-demands-payment-without-actually-encrypting-files\" title=\"Fake ransomware demands payment without actually encrypting files\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/fake-ransomware-demands-payment-without-actually-encrypting-files\">Fake ransomware demands payment without actually encrypting files<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[24823,11539,11834,9751,29032,32,3765,3985],"class_list":["post-21668","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-bogus","tag-fake","tag-faker","tag-fraud","tag-midnight","tag-news","tag-ransomware","tag-scam"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21668"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21668\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21668"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}