Ransomware Gangs Use PR Charm Offensive to Pressure Victims

Threat actors are fully embracing the spin machine: rebranding, speaking with the media, writing detailed FAQs, and more, all in an effort to make headlines.

3 Min Read
Photo of a stack of folded newspapers on a desk
Source: John Wohlfeil via Alamy Stock Photo

Gone are the days of dark, hooded figures and 8-bit skull-and-bones graphics — ransomware groups are increasingly adopting a more open, quasi-corporate strategy with the media, with the added benefit of ratcheting up the pressure for victims to pay them.

As Sophos X-Ops outlined in a report this week, more and less notorious groups like Royal, the Play, and RansomHouse are increasingly engaging with journalists. The relationship is dubious yet mutually beneficial: Reporters get scoops straight from primary (albeit unreliable) sources, while hackers get to expose their victims or, in certain high-profile cases, correct the record.

"This shows that they're true hackers," says Christopher Budd, director of threat intelligence for Sophos X-Ops. "Now they're trying to hack the information sphere, as well as the technical sphere."

Cybercriminals in Corporate Clothing

Ransomware groups nowadays offer channels for direct communication, and not just for victims. There are PR-oriented Telegram channels and standard-fare "Contact Us" forms, as well as helpful information and FAQs to supplement them.

The big idea is that, by broadcasting their exploits in the news, ransomware actors invite public pressure on their victims, as well as pressure from their suppliers, customers, and so on.

This much is implied or, often, specifically highlighted in ransom notes. For instance, Sophos recently observed a Royal ransom note expressing how "anyone on the internet from darknet criminals ... journalists ... and even your employees will be able to see your internal documentation" if the ransom deadline wasn't met.

An extreme example of this sort of tactic occurred a month ago, when the ALPHV group (aka BlackCat) filed an official complaint with the US Securities and Exchange Commission, citing how its victim failed to report its ransomware attack within the newly proposed window for data breach disclosures. Those new rules hadn't yet been in effect at the time, but the stunt certainly attracted headlines.

News coverage has other knock-on benefits, as well. Besides the ego boost, if a group like The Play links to Dark Reading coverage on its leak site, it lends it credibility, giving victims the impression that they're the real deal.

Screenshot of Dark Reading article link reposted by ransomware group The Play

Attackers in Analysts' Attire

Not all ransomware-ers are meeting the media with equal levity. Notorious groups like Cl0p and LockBit have recently engaged with the outside world on more hostile terms.

And while it sometimes comes out as petty or posturing, at other times even these conflicts are handled with a degree of professionalism.

For instance, in response to initial reports containing purportedly incorrect information about the MGM attack, ALPHV published a 1,300-word statement. "In trying to assert their authority and take their claim, they actually published what amounts to threat research — the type of stuff that security companies do. And they provided some fairly objective, detailed technical explanation about the actions they'd taken," Budd explains.

"It reads like something that we would publish," he adds. "They are consciously adopting some of the principles that we in the security space use on a day-to-day basis."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights