{"id":23587,"date":"2023-12-13T05:21:02","date_gmt":"2023-12-13T13:21:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/12\/13\/news-17317\/"},"modified":"2023-12-13T05:21:02","modified_gmt":"2023-12-13T13:21:02","slug":"news-17317","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/12\/13\/news-17317\/","title":{"rendered":"Press and pressure: Ransomware gangs and the media"},"content":{"rendered":"<p><strong>Credit to Author: Matt Wixey| Date: Wed, 13 Dec 2023 11:00:25 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Historically, threat actors weren\u2019t keen to engage with journalists. They may have followed press coverage about themselves, of course, but they rarely courted such attention; staying under the radar was usually much more important to them. The idea of attackers regularly putting out press releases and statements \u2013 let alone giving detailed interviews and arguing with reporters \u2013 was absurd (even if they were sometimes very willing to <a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/q6r6n3x43mnrfchn5tfh3qmw\/sophos-x-ops-active-adversary-multiple-attackers-wp.pdf\">publicly argue with each other<\/a>).<\/p>\n<p>And then came the ransomware gangs.<\/p>\n<p>Ransomware has changed many facets of the threat landscape, but a key recent development is its increasing commoditization and professionalization. There\u2019s <a href=\"https:\/\/www.sophos.com\/en-us\/cybersecurity-explained\/ransomware-as-a-service#:~:text=Ransomware%2Das%2Da%2DService%20(RaaS)%20is%20a,conduct%20ransomware%20attacks%20for%20profit\">ransomware-as-a-service<\/a>; logos and branding (and even <a href=\"https:\/\/twitter.com\/vxunderground\/status\/1568273779050127363?lang=en\">paying acolytes to get tattoos<\/a>) and slick graphics on leak sites; <a href=\"https:\/\/www.forescout.com\/resources\/analysis-of-conti-leaks\/\">defined HR and Legal roles<\/a>; and <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lockbit-30-introduces-the-first-ransomware-bug-bounty-program\/\">bug bounty programmes<\/a>. Accompanying all this \u2013 alongside the <a href=\"https:\/\/therecord.media\/dhs-ransomware-headed-for-second-profits\">astronomical criminal gains<\/a> and the misery heaped on innumerable victims \u2013 is a slew of media attention, and an increasingly media-savvy assortment of threat actors.<\/p>\n<p>Far from shying away from the press, as so many threat actors did in the past, some ransomware gangs have been quick to seize the opportunities it affords them. Now, threat actors write FAQs for journalists visiting their leak sites; encourage reporters to get in touch; give in-depth interviews; and recruit writers. Media engagement provides ransomware gangs with both tactical and strategic advantages; it allows them to apply pressure to their victims, while also enabling them to shape the narrative, inflate their own notoriety and egos, and further \u2018mythologize\u2019 themselves.<\/p>\n<p>Of course, it\u2019s not always a harmonious relationship. Recently, we\u2019ve seen several examples of ransomware actors disputing journalists\u2019 coverage of attacks, and attempting to correct the record \u2013 sometimes throwing insults at specific reporters into the bargain. While this has implications for the wider threat landscape, it also has ramifications for individual targets. In addition to dealing with business impacts, ransom demands, and reputational fallout, organizations are now forced to watch as ransomware gangs scrap with the media in the public domain &#8211; with every incident fuelling more coverage and adding further pressure.<\/p>\n<p>Sophos X-Ops conducted an investigation of several ransomware leak sites and underground criminal forums to explore how ransomware gangs are seeking to leverage the media and control the narrative \u2013 thereby hacking not only systems and networks, but also the accompanying publicity.<\/p>\n<p>A brief summary of our findings:<\/p>\n<ul>\n<li>Ransomware gangs are aware that their activities are considered newsworthy, and will leverage media attention both to bolster their own \u2018credibility\u2019 and to exert further pressure on victims<\/li>\n<li>Threat actors are inviting and facilitating communications with journalists via FAQs, dedicated private PR channels, and notices on their leak sites<\/li>\n<li>Some ransomware gangs have given interviews to journalists, in which they provide a largely positive perspective of their activities \u2013 potentially as a recruitment tool<\/li>\n<li>However, others have been more hostile to what they see as inaccurate coverage, and have insulted both publications and individual journalists<\/li>\n<li>Some threat actors are increasingly professionalizing their approach to press and reputational management: publishing so-called \u2018press releases\u2019; producing slick graphics and branding; and seeking to recruit English writers and speakers on criminal forums<\/li>\n<\/ul>\n<p>Our aims in publishing this piece are to explore how and to what extent ransomware gangs are increasing their efforts in this area, and to suggest things that the security community and the media can do now to negate those efforts and deny ransomware gangs the oxygen of publicity they\u2019re seeking:<\/p>\n<ul>\n<li>Refrain from engaging with threat actors unless it\u2019s in the public interest or provides actionable information and intelligence for defenders<\/li>\n<li>Provide information only to aid defenders, and avoid any glorification of threat actors<\/li>\n<li>Support journalists and researchers targeted by attackers<\/li>\n<li>Avoid naming or crediting threat actors unless it\u2019s purely factual and in the public interest<\/li>\n<\/ul>\n<h2>Leveraging the media<\/h2>\n<p>Ransomware gangs are very conscious that the press considers their activities newsworthy, and will sometimes link to existing coverage of themselves on their leak sites. This reinforces their \u2018credentials\u2019 as a genuine threat for the benefit of visitors (including reporters and new victims) \u2013 and, in some cases, is likely an ego trip as well.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-952710 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image1.png\" alt=\"A screenshot of a ransomware leak site. Within the screenshot is another screenshot of a news article\" width=\"796\" height=\"393\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image1.png 796w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image1.png?resize=300,148 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image1.png?resize=768,379 768w\" sizes=\"auto, (max-width: 796px) 100vw, 796px\" \/><\/a><\/p>\n<p><em>Figure 1: Vice Society thanks a specific journalist for an article in which it was part of a \u2018Top 5\u2019 of ransomware and malware groups in 2022<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952711\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image2.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"87\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image2.png 1209w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image2.png?resize=300,41 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image2.png?resize=768,105 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image2.png?resize=1024,140 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: The Play ransomware group links to a Dark Reading article on its leak site<\/em><\/p>\n<p>But some ransomware gangs aren\u2019t content with merely posting existing coverage; they\u2019ll also actively solicit journalists.<\/p>\n<h3>Collaboration<\/h3>\n<p>The RansomHouse group, for example, has a message on its leak site specifically aimed at journalists, in which it offers to share information on a \u2018PR Telegram channel\u2019 before it is officially published. It\u2019s not alone in this; allegedly, <a href=\"https:\/\/analyst1.com\/ransomware-diaries-volume-3-lockbits-secrets\/\">the LockBit ransomware group communicates with journalists using Tox<\/a>, an encrypted messaging service (many ransomware gangs list their Tox ID on their leak sites).<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952712\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image3.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"281\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image3.png 742w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image3.png?resize=300,132 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: An invitation from RansomHouse<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952713\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image4.png\" alt=\"A screenshot of a Telegram channel\" width=\"454\" height=\"468\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image4.png 454w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image4.png?resize=291,300 291w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image4.png?resize=32,32 32w\" sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/a><\/p>\n<p><em>Figure 4: The RansomHouse PR Telegram channel<\/em><\/p>\n<p>The 8Base leak site has an identical message (<a href=\"https:\/\/blogs.vmware.com\/security\/2023\/06\/8base-ransomware-a-heavy-hitting-player.html\">as other researchers have noted<\/a>, 8Base and RansomHouse share other similarities, including their terms of service and ransom notes).<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952714\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image5.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"75\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image5.png 1417w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image5.png?resize=300,35 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image5.png?resize=768,90 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image5.png?resize=1024,120 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 5: 8Base\u2019s message to journalists<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/11\/10\/vice-society-and-rhysida-ransomware\/\">Rhysida\u2019s<\/a> contact form on its leak site addresses several groups of people. Interestingly, journalists appear first on this list, before \u2018Recoveries\u2019 (presumably referring to victims or people working on their behalf).<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952715\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image6.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"351\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image6.png 681w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image6.png?resize=300,164 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 6: Rhysida\u2019s contact form<\/em><\/p>\n<p>Over on the Snatch leak site, the threat actor maintains a \u201cPublic notice.\u201d Of particular note is number eight on this list: \u201cSnatch is open to the [sic] collaboration with any media to make data leakage situations shared [sic] and visible to wide [sic] range of people.\u201d And, as with Rhysida, journalists come before victim negotiations on the list.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952716\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image7.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"299\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image7.png 816w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image7.png?resize=300,140 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image7.png?resize=768,359 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 7: Snatch&#8217;s &#8216;Public notice&#8217;<\/em><\/p>\n<p>On Vice Society\u2019s leak site, the threat actor notes: \u201cThere are many journalists asking questions about us and our attacks.\u201d The message goes on to include a full FAQ for reporters, including a request for journalists to provide their name and outlet, and details of questions the group won\u2019t answer. Helpfully, for reporters with pressing deadlines, the threat actor also states that they try to respond to queries within 24 hours \u2013 an example of professional PR best practice, which demonstrates how important this is to the threat actor.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952717\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"636\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png 788w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=150,150 150w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=300,298 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=768,763 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=50,50 50w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=64,64 64w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=96,96 96w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image8.png?resize=128,128 128w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 8: Vice Society&#8217;s FAQ for journalists<\/em><\/p>\n<p>As noted earlier, much of this is likely done for bragging rights and to bolster criminals\u2019 credibility and notoriety (which, in turn, can indirectly increase the pressure on victims). But some groups are more explicit; Dunghill Leak, for example, warns victims that if they do not pay, they will take several actions \u2013 including sending data to the media.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952718\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image9.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"139\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image9.png 843w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image9.png?resize=300,65 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image9.png?resize=768,167 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 9: Dunghill Leak\u2019s warning to victims, including a threat to send data to the media<\/em><\/p>\n<p>While not within the scope of this article, the last line is worth noting as well: Dunghill threatens to \u201cinvite various law firms to take up a group case.\u201d Ransomware class action lawsuits <a href=\"https:\/\/www.washingtonpost.com\/technology\/2021\/07\/25\/ransomware-class-action-lawsuit\/\">are not unheard of,<\/a> and may become increasingly common.<\/p>\n<p>In a similar vein, we observed a user posting on a prominent criminal forum about a company which had been the victim of a data breach. The user stated that negotiations had broken down, and offered to provide \u201cthe entire negotiation exchanges\u201d to \u201cverified press or researchers\u201d \u2013 and also noted that \u201cfor those who wish to partake in litigation\u2026you can use the below snippet of the negotiations.\u201d This is one of the ways in which ransomware actors are shifting their strategies, using multi-pronged weaponization (publicity, lawsuits, regulatory obligations) to exert further pressure on victims. For instance, <a href=\"https:\/\/www.databreaches.net\/alphv-files-an-sec-complaint-against-meridianlink-for-not-disclosing-a-breach-to-the-sec\/\">ALPHV\/BlackCat recently reported a victim to the Securities and Exchange Commission (SEC)<\/a> for not disclosing a breach \u2013 something which <a href=\"https:\/\/www.scmagazine.com\/perspective\/alphv-blackcat-reporting-to-the-sec-could-become-the-new-normal-for-ransomware-operators\">some commentators believe may become increasingly common<\/a>.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952719\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image10.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"117\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image10.png 1559w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image10.png?resize=300,55 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image10.png?resize=768,140 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image10.png?resize=1024,187 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image10.png?resize=1536,281 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 10: A post on a criminal forum, regarding a data breach<\/em><\/p>\n<p>Other ransomware gangs are very aware that they can exert additional pressure on victims by raising the spectre of media interest. Our Managed Detection and Response (MDR) team recently observed ransom notes containing this threat from both Inc (\u201cconfidential data\u2026can be spread out to people and the media\u201d) and Royal (\u201canyone on the internet from darknet criminals\u2026journalists\u2026and even your employees will be able to see your internal documentation\u201d).<\/p>\n<p>Not all ransom notes mention the media, of course, and many ransomware gangs maintain minimalist, bare-bones leak sites which simply list their victims, with no direct appeals to journalists. But others engage directly with the media, in the form of interviews.<\/p>\n<h3>Interviews<\/h3>\n<p>Several ransomware actors have given in-depth interviews to journalists and researchers. In 2021, <a href=\"https:\/\/flashpoint.io\/blog\/what-does-lockbit-want-decrypting-an-interview-with-the-ransomware-collective\/\">the LockBit operators granted an interview to Russian OSINT<\/a>, a YouTube and Telegram channel. The same year, <a href=\"https:\/\/flashpoint.io\/blog\/interview-with-revil-affiliated-ransomware-contractor\/\">an anonymous REvil affiliate spoke to Lenta.ru<\/a>, a Russian-language online magazine. In 2022, Mikhail Matveev (a.k.a. Wazawaka, a.k.a. Babuk, a.k.a. Orange), a ransomware actor and founder of the RAMP ransomware forum, <a href=\"https:\/\/therecord.media\/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware\">spoke in detail to The Record<\/a> \u2013 and even provided a picture of himself. And a few weeks later, <a href=\"https:\/\/samples.vx-underground.org\/Papers\/Other\/Interviews\/Interviewing%20the%20Lockbit%20Administrator.html\">a founding member of LockBit spoke to vx-underground<\/a> (in which they admitted that they own three restaurants in China and two in New York.<\/p>\n<p>In most of these interviews, the threat actors seem to relish the opportunity to give insights into the ransomware \u2018scene\u2019, discuss the illicit fortunes they\u2019ve amassed, and provide \u2018thought leadership\u2019 about the threat landscape and the security industry. Only one \u2013 the REvil affiliate \u2013 gives a mostly negative depiction of the criminal life (\u201c\u2026you are afraid all the time. You wake up in fear, you go to bed in fear, you hide behind a mask and a hood in a store, you even hide from your wife or girlfriend\u201d).<\/p>\n<p>So, in addition to the motivations we\u2019ve already discussed \u2013 notoriety, egotism, credibility, indirectly increasing pressure on victims \u2013 a further possible reason for engagement with the media is recruitment. By depicting ransomware activity as a glamorous, wealthy business (\u201cthe leader in monetization,\u201d as Matveev puts it), threat actors could be trying to attract more members and affiliates.<\/p>\n<h3>Press releases and statements<\/h3>\n<p>A handful of ransomware groups issue what they call \u201cpress releases\u201d \u2013 and the fact that they use this term is telling in itself. Karakurt, for example, maintains a separate page for its press releases. Of the three currently published, one is a public announcement that the group is recruiting new members, and the others are about specific attacks. In both these latter cases, according to Karakurt, negotiations broke down, and the so-called \u2018press releases\u2019 are in fact thinly-veiled attacks on both organizations in an attempt to pressure them into paying and\/or cause reputational damage.<\/p>\n<p>Both these pieces, while containing the odd error or idiosyncratic phrasing, are written in remarkably fluent English. One, aping the style of genuine press releases, even contains a direct quote from \u201cthe Karakurt team.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-952720 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image11.png\" alt=\"A screenshot of a ransomware leak site. There are three press releases listed, with banner graphics of black-and-white art\" width=\"1053\" height=\"745\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image11.png 1053w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image11.png?resize=300,212 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image11.png?resize=768,543 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image11.png?resize=1024,724 1024w\" sizes=\"auto, (max-width: 1053px) 100vw, 1053px\" \/><\/a><\/p>\n<p><em>Figure 11: Karakurt\u2019s \u2018Press Releases\u2019 page<\/em><\/p>\n<p>In contrast, an example of a press release from the Snatch group is much less fluent, and doesn\u2019t focus on a specific victim. Instead, it\u2019s aimed at correcting mistakes by journalists (something that we\u2019ll discuss in more detail shortly).<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952721\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image12.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"592\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image12.png 792w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image12.png?resize=300,278 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image12.png?resize=768,711 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 12: An excerpt from Snatch\u2019s \u2018press release\u2019<\/em><\/p>\n<p>This statement ends with the following sentence: \u201cWe are always open for cooperation and communication and if you have any questions we are ready to answer them here in our tg [Telegram] channel.\u201d<\/p>\n<p>A further example, this one from <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/08\/a-series-of-ransomware-attacks-made-by-different-groups-share-curiously-similar-characteristics\/\">Royal<\/a> (not formally titled as a press release, but with the heading \u201cFOR IMMEDIATE RELEASE\u201d), announces that the group will not publish data from a specific victim (a school), but will instead delete it \u201cin line with our stringent data privacy standards and as a demonstration of our unwavering commitment to ethical data management.\u201d Here, the threat actor is arguably inviting a comparison between their own proactive action to \u2018protect\u2019 against the leak (for which they\u2019re responsible) and the mishandling of ransomware incidents and sensitive data by some organizations \u2013 thereby aiming to portray itself as more responsible and professional than some of its victims.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952722\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image13.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"683\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image13.png 689w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image13.png?resize=281,300 281w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 13: A public statement by the Royal ransomware group<\/em><\/p>\n<p>What\u2019s particularly noteworthy here is the language; much of the style and tone of this announcement will be recognisable to anyone who\u2019s dealt with press releases and public statements. For instance: \u201cthe bedrock principles upon which Royal Data Services operates\u201d; \u201cAt Royal Data Services, we respect the sanctity of educational and healthcare services\u201d; \u201cMoving forward, we aim to\u2026\u201d.<\/p>\n<p>It&#8217;s also worth noting that Royal seems to be trying to rebrand itself as a security service (\u201cOur team of data security specialists will offer\u2026a comprehensive security report, along with our best recommendations and mitigations\u2026\u201d). It has this in common with many other ransomware groups \u2013 who, in wholly unconvincing attempts to portray themselves as forces for good, have referred to themselves as a \u201cpenetration testing service\u201d (Cl0p); \u201chonest and simple pentesters\u201d (8Base); or as conducting \u201ca cybersecurity study\u201d (ALPHV\/BlackCat).<\/p>\n<p>Rebranding is another PR tactic borrowed from legitimate industry, and it\u2019s not unreasonable to speculate that ransomware groups may step up this tactic in the future \u2013 perhaps as a recruitment tool, or to try and alleviate negative coverage from the media and attention from law enforcement.<\/p>\n<h3>Branding<\/h3>\n<p>Branding is hugely important to ransomware gangs seeking press coverage. Catchy names and slick graphics help attract the eyes of journalists and readers \u2013 particularly when it comes to leak sites, as they\u2019re the public-facing presences of these threat actors, and will be frequently visited by journalists, researchers, and victims. Consider <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/05\/09\/akira-ransomware-is-bringin-88-back\/\">Akira<\/a>, with its retro aesthetics and interactive terminal, or <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-donut-leaks-extortion-gang-linked-to-recent-ransomware-attacks\/\">Donut Leaks<\/a>, which has a frontpage graphic complete with flickering neon signs.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-952724 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image14.png\" alt=\"A screenshot of a ransomware leak site The leak site is styled to look like an interactive computer terminal, with green text on a black background\" width=\"807\" height=\"509\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image14.png 807w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image14.png?resize=300,189 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image14.png?resize=768,484 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/a><\/p>\n<p><em>Figure 14: The Akira leak site<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image15.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-952725 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image15.jpeg\" alt=\"A screenshot of a ransomware leak site. An anime character winks at the camera, and the title and headings on the site are styled to look like neon signs\" width=\"1378\" height=\"538\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image15.jpeg 1378w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image15.jpeg?resize=300,117 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image15.jpeg?resize=768,300 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image15.jpeg?resize=1024,400 1024w\" sizes=\"auto, (max-width: 1378px) 100vw, 1378px\" \/><\/a><\/p>\n<p><em>Figure 15: The Donut Leaks site<\/em><\/p>\n<p>The LostTrust ransomware group (<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/meet-losttrust-ransomware-a-likely-rebrand-of-the-metaencryptor-gang\/\">a possible rebrand of MetaEncryptor<\/a>) is so patently aware that its leak site is its point of contact with the wider world, that it opted for a press conference graphic on its homepage.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-952726 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image16.png\" alt=\"A screenshot of a ransomware leak site. The leak site features a graphic of a long table, three empty chairs, and numerous microphones pointed at the chairs, like a press conference\" width=\"1444\" height=\"795\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image16.png 1444w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image16.png?resize=300,165 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image16.png?resize=768,423 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image16.png?resize=1024,564 1024w\" sizes=\"auto, (max-width: 1444px) 100vw, 1444px\" \/><\/a><\/p>\n<p><em>Figure 16: LostTrust\u2019s leak site. Note the blurb at the bottom, which includes the warning that \u201cevery incident is notified to all possible press in the region\u201d \u2013 echoing the warning from Dunghill Leak<\/em><\/p>\n<p>On the other side of the coin, one ransomware group \u2013 either fed up with this trend, or getting performatively meta with it \u2013 decided to eschew a name and brand altogether.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952727\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image17.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"137\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image17.png 854w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image17.png?resize=300,64 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image17.png?resize=768,165 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 17: A ransomware group which refuses to give itself a name \u2013 leading to it inevitably being named \u2018<a href=\"https:\/\/thecyberexpress.com\/cyber-attack-on-poland-noname-ransomware-gang\/\">NoName ransomware\u2019<\/a><\/em><\/p>\n<p>Sophisticated branding isn\u2019t exclusive to ransomware gangs, of course, and speaks to a wider point about the increasing professionalization across many categories of threat actor, as we noted in <a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/b5n9ntjqmbkb8fg5rn25g4fc\/sophos-2023-threat-report.pdf\">our 2023 Annual Threat Report<\/a>. Modern adverts for malware products, for example, are often characterized by attractive graphics and high-quality design.<\/p>\n<p>One prominent criminal forum \u2013 which previously ran regular, well-established \u2018<a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/29\/for-the-win-offensive-research-contests-on-criminal-forums\/\">research contests<\/a>\u2019 \u2013 even has its own ezine, including art, tutorials, and interviews with threat actors. An example, perhaps, of cybercriminals not only engaging with media outlets, but creating their own.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-952728 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image18.png\" alt=\"A screenshot of an ezine from a criminal forum, The page is styled to look like a graphic novel, with illustrations and speech bubbles\" width=\"549\" height=\"777\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image18.png 549w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image18.png?resize=212,300 212w\" sizes=\"auto, (max-width: 549px) 100vw, 549px\" \/><\/a><\/p>\n<p><em>Figure 18: Art from an ezine produced by members of a criminal forum<\/em><\/p>\n<h3>Recruitment<\/h3>\n<p>When a Ukrainian researcher <a href=\"https:\/\/www.wired.com\/story\/conti-leaks-ransomware-work-life\/\">leaked thousands of messages from inside the Conti ransomware gang<\/a> in March 2022, many were surprised at the extent of organization within the group. It had a distinct hierarchy and structure, much like a legitimate company: bosses, sysadmins, developers, recruiters, HR, and Legal. It paid salaries regularly, and set working hours and holidays. <a href=\"https:\/\/www.trellix.com\/en-gb\/about\/newsroom\/stories\/research\/conti-leaks-examining-the-panama-papers-of-ransomware.html\">It even had physical premises<\/a>. But what\u2019s particularly interesting in the context of this article is that Conti had at least one person (and possibly as many as three) <a href=\"https:\/\/www.forescout.com\/resources\/analysis-of-conti-leaks\/\">dedicated to negotiating ransoms and writing \u2018blog posts\u2019<\/a> for the leak site (a \u2018blog\u2019 is a euphemism for a list of victims and their published data). So the sorts of things we\u2019ve been discussing \u2013 responding to journalists, writing press releases, and so on \u2013 are not necessarily just cobbled together by hackers when they\u2019re not busy hacking. Within prominent, well-established groups, they may well add up to a full-time role \u2013 mirroring the situation in technology and security companies, with teams dedicated to publicizing research and results (Sophos X-Ops being an example, if that\u2019s not getting too meta).<\/p>\n<p>While many ransomware-related activities don\u2019t require fluent English skills, this kind of work does \u2013 especially if threat actors are also going to be writing public statements. Such individuals have to be recruited from somewhere, and on criminal forums, adverts for English speakers and writers (and, occasionally, speakers of other languages) are fairly common. Many of these ads aren\u2019t necessarily for ransomware groups, of course, but likely for social engineering\/scamming\/vishing campaigns.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image19.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952729\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image19.png\" alt=\"A screenshot of a criminal forum\" width=\"452\" height=\"228\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image19.png 452w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image19.png?resize=300,151 300w\" sizes=\"auto, (max-width: 452px) 100vw, 452px\" \/><\/a><\/p>\n<p><em>Figure 19: An advert on a criminal forum for \u201ca good English caller.\u201d This advert is probably for some sort of scam campaign<\/em><\/p>\n<p>In other cases, the kind of work being offered is less clear, and requires writers rather than speakers:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952730\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image20.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"314\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image20.png 680w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image20.png?resize=300,147 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 20: A user on a criminal forum seeks a \u201cProfessional English Writer\u201d<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952731\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image21.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"85\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image21.png 1430w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image21.png?resize=300,40 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image21.png?resize=768,102 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image21.png?resize=1024,135 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 21: A job advert on a criminal forum. Trans.: \u201cWe are looking for someone who can write\/edit English articles for the clearnet website. If you are interested, message me and we will discuss the details. high paying job. the work will be completed over a long period of time, 1-3 articles per day.\u201d The same user also advertised for a \u201cjournalist\/writer.\u201d<\/em><\/p>\n<p>In a particularly curious example \u2013 albeit one not related to the media \u2013 a user created a thread entitled: \u201cAnalysis of financial and legal vulnerabilities for negotiations\u201d:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952732\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image22.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"120\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image22.png 1558w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image22.png?resize=300,56 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image22.png?resize=768,144 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image22.png?resize=1024,192 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image22.png?resize=1536,288 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 22: An excerpt from the user&#8217;s post<\/em><\/p>\n<p>In the same thread, the user later added more detail \u2013 noting that other duties would include (trans.) \u201cupload bigdata to the onion domain\u201d, and that \u201cin case of breakdown of negotiations\u201d, applicants would also be expected to perform \u201cassessment of developments, research, marketing strategy, prospects, etc. for further sale to competitors.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image23.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952733\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image23.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"122\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image23.png 939w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image23.png?resize=300,57 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image23.png?resize=768,146 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 23: Further detail from the same user<\/em><\/p>\n<p>We assess that this is likely an attempt to recruit someone to help extort companies into paying a ransom, by finding compromising information which threat actors could use to apply pressure during negotiations. Note that the first part of the advert states \u201cin most cases [this] doesn\u2019t require the use of software\u201d, implying that this is not a \u2018traditional\u2019 ransomware group using encrypting malware.<\/p>\n<p>Finally, we also noted several instances of users advertising their services as translators, particularly Russian to English and vice versa.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image24.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952734\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image24.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"149\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image24.png 1453w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image24.png?resize=300,70 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image24.png?resize=768,179 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image24.png?resize=1024,238 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 24: A user offers their services as a translator<\/em><\/p>\n<p>While we didn\u2019t find any specific examples of threat actors attempting to recruit people with marketing\/PR experience, this is something we\u2019re going to keep an eye out for. Given the increasing \u2018celebrification\u2019 of ransomware groups (see <a href=\"https:\/\/twitter.com\/vxunderground\/status\/1568273779050127363?lang=en\">LockBit\u2019s tattoo stunt<\/a> and similar developments) and the rebranding strategies discussed previously, it may only be a matter of time before criminals make more concerted efforts to manage their public images and deal with the increasing amounts of media attention they receive.<\/p>\n<h2>When things go wrong<\/h2>\n<p>We\u2019ve noted that ransomware groups leverage the media in a number of ways: referring to previous coverage on their leak sites; inviting questions from journalists; giving interviews; and using the threat of publicity to coerce victims into paying ransoms. However, as many public figures and companies have found out to their cost, relationships with the media are not always affable. On several occasions, ransomware groups and other threat actors have criticized journalists for what they feel is inaccurate or unfair coverage.<\/p>\n<p>The developers of WormGPT, for example \u2013 a derivation of ChatGPT, offered for sale on criminal marketplaces for use by threat actors \u2013 <a href=\"https:\/\/www.linkedin.com\/pulse\/wormgpt-goes-down-john-stanton\">shut their project down<\/a>, due to the amount of media scrutiny. In a forum post, they stated: \u201cwe are increasingly harmed by the media\u2019s portrayal\u2026Why do they attempt to tarnish our reputation in this manner?\u201d<\/p>\n<p>Ransomware groups, on the other hand, tend to be more aggressive in their rebuttals. ALPHV\/BlackCat, for instance, published an article on its leak site entitled \u201cStatement on MGM Resorts International: Setting the record straight\u201d, a 1,300-word post in which it criticized a number of outlets for not checking sources and reporting incorrect information.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image25.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952735\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image25.png\" alt=\"A screenshot from a ransomware leak site\" width=\"472\" height=\"309\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image25.png 472w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image25.png?resize=300,196 300w\" sizes=\"auto, (max-width: 472px) 100vw, 472px\" \/><\/a><\/p>\n<p><em>Figure 25: ALPHV\/BlackCat criticizes an outlet for \u2018false reporting\u2019<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image26.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952736\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image26.png\" alt=\"A screenshot from a ransomware leak site\" width=\"485\" height=\"228\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image26.png 485w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image26.png?resize=300,141 300w\" sizes=\"auto, (max-width: 485px) 100vw, 485px\" \/><\/a><\/p>\n<p><em>Figure 26: ALPHV\/BlackCat criticizes another outlet for \u2018false reporting\u2019, while admitting that it previously falsely reported a source of \u2018false information\u2019<\/em><\/p>\n<p>The statement goes on to attack an individual journalist and a researcher, before concluding: \u201cwe have not spoken with any journalists\u2026We did not and most likely won\u2019t.\u201d Interestingly, then, this is an example of a ransomware group not engaging with the media \u2013 instead trying to control the narrative by presenting itself as the sole, dominant, voice of truth. (In all probability there are some power dynamics at play here, too, but digging into the psychology of ransomware actors is something we\u2019re neither qualified nor inclined to do.)<\/p>\n<p>The Cl0p ransomware group attempted to do something similar during <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/10\/clop-at-the-top\/\">a rash of high-profile attacks<\/a> earlier this year, which leveraged a vulnerability in the MOVEit file-transfer system. In a post on its leak site, it stated that \u201call media speaking about this are do [sic] what they always do. Provide little truth in a big lie.\u201d Later, the group specifically called out the BBC for \u201ccreating propaganda,\u201d after Cl0p had emailed the BBC with information. Much like the ALPHV\/BlackCat example above, Cl0p is attempting to \u2018set the record straight,\u2019 correcting what it sees as inaccuracies in media coverage and representing itself as the only authoritative source of information. The message to victims, researchers, and the wider public: <em>don\u2019t believe what you read in the press; only we have the real story.<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image27.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952737\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image27.png\" alt=\"A screenshot of a ransomware leak site\" width=\"640\" height=\"290\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image27.png 1158w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image27.png?resize=300,136 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image27.png?resize=768,348 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image27.png?resize=1024,463 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 27: The Cl0p ransomware gang calls out the BBC for &#8216;twisting&#8217; information<\/em><\/p>\n<h3>An uneasy relationship<\/h3>\n<p>Cl0p isn\u2019t alone in feeling mistrustful of journalists; it\u2019s a common sentiment on criminal forums. Many threat actors \u2013 not just ransomware groups \u2013 dislike the press, and some non-ransomware criminals are skeptical of the relationship between journalists and ransomware gangs:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image28.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952738\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image28.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"131\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image28.png 1298w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image28.png?resize=300,61 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image28.png?resize=768,157 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image28.png?resize=1024,210 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 28: A threat actor criticizes journalists for believing the \u201clies\u201d of ransomware actors, and criticizes ransomware actors \u201cwho are just trying to scam you [journalists] and chase influence.\u201d Note that the sentiment here is not dissimilar to that expressed by ALPHV\/BlackCat and Cl0p in the previous section<\/em><\/p>\n<p>Just as ransomware groups are conscious that their leak sites are frequented by journalists, so members of criminal forums know that journalists have infiltrated their sites. High-traffic threads about prominent breaches and incidents will sometimes contain comments along the lines of \u2018Here come the reporters,\u2019 which occasionally descend into full-blown rants and insults.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image29.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-952739\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image29.png\" alt=\"A screenshot of a criminal forum\" width=\"640\" height=\"191\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image29.png 1364w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image29.png?resize=300,90 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image29.png?resize=768,230 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image29.png?resize=1024,306 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 29: Several members of a criminal forum insult journalists<\/em><\/p>\n<p>More rarely, threat actors will call out and\/or attack individual journalists, as in the ALPHV\/BlackCat example above. While this hasn\u2019t, to our knowledge, escalated to direct threats, these reactions are likely designed to make the journalists in question feel uncomfortable, and in some cases to cause reputational damage \u2013 not always successfully.<\/p>\n<p>The name and branding of the carding marketplace Brian\u2019s Club, for example, is based on security journalist Brian Krebs. The site uses Krebs\u2019 image, first name, and a play on his surname (\u2018Krabs\u2019, or crabs, for \u2018Krebs\u2019), on both its homepage and within the site itself.<\/p>\n<p>While this doesn\u2019t seem to unduly concern Krebs (he mentions being \u201csurprised and delighted\u201d to receive a reply from the Brian\u2019s Club admin after making an enquiry about <a href=\"https:\/\/krebsonsecurity.com\/2019\/10\/briansclub-hack-rescues-26m-stolen-cards\/\">the site being compromised<\/a>; the admin\u2019s reply began: \u201cNo. I\u2019m the real Brian Krebs here \ud83d\ude0a\u201d), other journalists might not feel quite so at ease in this situation.<\/p>\n<p>Of course, researchers are not immune to these tactics either, and are also often subject to insults and threats on forums. The relationship between threat actors and researchers is a whole other story, and out of scope for this article, but one example is worth noting. After publishing the first part of <a href=\"https:\/\/analyst1.com\/ransomware-diaries-volume-1\/\">a three-part series on the inner workings of the LockBit gang<\/a>, researcher Jon DiMaggio was alarmed to discover that LockBit\u2019s profile picture on a prominent criminal forum had been changed to a photo of himself.<\/p>\n<p>After publication of <a href=\"https:\/\/analyst1.com\/ransomware-diaries-volume-3-lockbits-secrets\/\">the final part of the series<\/a>, threat actors discussed the report among themselves. One was dismissive (trans.: \u201cThese are just the latest guesses from one of the thousands of information security journalists who can only guess and create useless clickbait content\u201d), to which the LockBit account replied: \u201cyou are right, everything is made up\u2026[but] no matter what Johnny says, I still love him, he is my most devoted fan and follows every sneeze, turning any sneeze into a huge sensation, a real journalist.\u201d<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image31.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-952741 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image31.png\" alt=\"A screenshot of a criminal forum, featuring a post by LockBitSupp, a user account associated with the LockBit threat actor\" width=\"1766\" height=\"318\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image31.png 1766w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image31.png?resize=300,54 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image31.png?resize=768,138 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image31.png?resize=1024,184 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/image31.png?resize=1536,277 1536w\" sizes=\"auto, (max-width: 1766px) 100vw, 1766px\" \/><\/a><\/p>\n<p><em>Figure 31: LockBit posts in a discussion about DiMaggio\u2019s reports<\/em><\/p>\n<p>So even LockBit \u2013 one of the most prominent ransomware gangs, which has devoted significant time and effort into cultivating its image, professionalizing itself, and giving media interviews \u2013 is sceptical of journalists and their motivations.<\/p>\n<h2>Conclusion<\/h2>\n<p>The fact that some ransomware groups will eagerly solicit media coverage and communicate with journalists, despite being mistrustful and critical of the press in general, is a contradiction which will be familiar to many public figures. In the same way, many journalists will recognize the feeling of having qualms about the activities, ethics, and motivations of many public figures, while also knowing that reporting on those figures is in the public interest.<\/p>\n<p>And, like it or not, some ransomware actors are on their way to becoming public figures. Accordingly, they are devoting an increasing amount of time to \u2018managing the media.\u2019 They are aware of coverage about themselves, and publicly correct inaccuracies and omissions. They encourage questions, and provide interviews. They are conscious that cultivating media relationships is useful for achieving their own objectives and refining their public image.<\/p>\n<p>This is, in some ways, unique to ransomware gangs. Unlike virtually all other types of threat \u2013 which are based on going undetected for as long as possible, and ideally indefinitely \u2013 a ransomware campaign must eventually make itself known to the victim, to demand a ransom. Leak sites must be publicly available, so that the criminals can apply pressure to victims and publish stolen data. These factors, and the explosive growth of the ransomware threat, have led to a situation where threat actors, far from shunning the increasingly bright glare of the media spotlight, recognize the potential to reflect and redirect it for their own ends. They can leverage opportunities to directly and indirectly apply pressure to victims; attract potential recruits; increase their own notoriety; manage their public image; and shape the narrative of attacks.<\/p>\n<p>At the moment, these developments are nascent. While there is certainly an effort among some ransomware actors to imitate the efficient \u2018PR machines\u2019 of legitimate businesses, their attempts are often crude and amateurish. Sometimes they seem more of an afterthought than anything else.<\/p>\n<p>However, there are indications that this is changing. Initiatives such as dedicated PR Telegram channels, FAQs for journalists, and attempts to recruit journalists\/writers, may grow and evolve. And as with many aspects of ransomware \u2013 and the threat landscape in general \u2013 commodification and professionalization are on the rise. It may be a way off, but it\u2019s not unfeasible that in the future, ransomware groups may have dedicated, full-time PR teams: copywriters, spokespeople, even image consultants. This may provide some \u2018nice-to-haves\u2019 for ransomware actors \u2013 inflating egos, bolstering recruitment efforts \u2013 but it will predominantly come down to adding to the already significant pressure placed on victims, and reducing any pressure on themselves from law enforcement or the criminal community.<\/p>\n<p>In the meantime, it\u2019s likely that ransomware groups will continue to try to control the narratives around individual attacks, as we\u2019ve seen recently with Cl0p and ALPHV\/BlackCat. We\u2019ll be keeping a close eye on developments in this space.<\/p>\n<h2>Acknowledgments<\/h2>\n<p>Sophos X-Ops would like to thank Colin Cowie of Sophos\u2019 Managed Detection and Response (MDR) team for his contribution to this article.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/12\/13\/press-and-pressure-ransomware-gangs-and-the-media\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/12\/shutterstock_2154204715.jpg\"\/><\/p>\n<p><strong>Credit to Author: Matt Wixey| Date: Wed, 13 Dec 2023 11:00:25 +0000<\/strong><\/p>\n<p>Sophos X-Ops explores the symbiotic \u2013 but often uneasy \u2013 relationship between ransomware gangs and the media, and how threat actors are increasingly seeking to wrest control of the narrative<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[30606,29351,24643,25303,24873,25141,30607,30608,129,26531,24616,30609,1264,30610,30611,19566,26368,3765,22297,30484,28820,23661,27030,16771,2127,29927],"class_list":["post-23587","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-8base","tag-akira","tag-alphv-ransomware","tag-blackcat","tag-cl0p","tag-conti","tag-donut-leaks","tag-dunghill-leak","tag-featured","tag-karakurt","tag-lockbit","tag-losttrust","tag-media","tag-metaencryptor","tag-noname","tag-play","tag-ransomhouse","tag-ransomware","tag-revil","tag-rhysida-ransomware","tag-royal","tag-snatch","tag-sophos-x-ops","tag-threat-research","tag-vice","tag-wormgpt"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23587","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23587"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23587\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23587"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}