As ransomware gangs continue to market themselves as legitimate businesses complete with customer service representatives, new research from Sophos showed that threat actors are expanding public relations efforts to further pressure victims into paying a ransom.
In a threat report published Wednesday, Sophos X-Ops researchers examined how the rocky relationship between ransomware gangs and the media has evolved as the threat continues to escalate.
Ransomware operators leverage the media to publicly spotlight victim organizations amid a rise in brazen data extortion threats.
Sophos observed newer initiatives including dedicated Telegram channels for PR and a FAQ section for journalists posted on ransomware leak sites.
Ongoing media engagement has put some ransomware actors on track to becoming public figures, Sophos also warned.
The report highlighted several ransomware gangs including RansomHouse, Alphv/BlackCat, Karakurt, Vice Society, Snatch and the infamous LockBit gang.
Recently, some threat actors have shifted away from ransomware deployment to relying solely on data extortion threats to pressure victim organizations to pay.
The evolution relied heavily on ransomware groups' public data leak sites, which list victim organizations next to a payment countdown.
The number of ransomware attacks reached historic highs in 2023, according to some threat reports.
After investigating several ransomware leak sites and underground criminal forums, Sophos X-Ops researchers determined that ransomware gangs know their leak sites are frequented by journalists.
Christopher Budd, director of threat research at Sophos, told TechTarget Editorial that BlackCat's MGM rebuttal inspired the research into ransomware gangs and the media.
The statement highlighted an important transition in the ransomware landscape; Budd noticed that attackers are not only operating in the technical sphere, but some are moving into the information space as well.
Regarding accuracy of the ransomware gang posts, Budd said only the attackers and victims will truly know what happened.
Whether communications with the media are positive or negative, ransomware gangs' goal is to expand attack coverage to apply pressure on victims to pay the ransom.
The press release stated that the group does not encrypt victims' files or attempt to disrupt operations as other ransomware groups do.
Snatch is not the only ransomware gang to produce so-called press releases.
Ransomware negotiations have become increasingly effective for victim organizations, which are often able to negotiate lower ransom payments.
Dark web chatter shows that attackers are becoming frustrated with negotiators, with some ransomware gangs altering their approach to such discussions.
Following a focus on PR communications, Budd said ransomware groups' next innovation might involve regulatory actions.
In response to ransomware groups' increased focus on managing the media, Sophos recommended not engaging with or crediting threat actors unless doing so provides actionable insight for defenders.
This Cyber News was published on www.techtarget.com. Publication date: Wed, 13 Dec 2023 11:43:05 +0000