Ransomware Groups Forge Media Alliances, Amplifying Notoriety and Threats
Sophos X-Ops, in the aftermath of the MGM casino hack in Vegas, has shed light on a growing trend among ransomware groups: actively seeking media attention to amplify their notoriety and pressure victims into paying.
The investigation uncovered multiple instances on criminal forums and leak sites where threat actors threatened to expose a company’s data breach to the press.
Ransomware groups are employing various strategies to establish direct communication with the media, including special channels, contact forms, FAQs, and offers of “collaboration” with journalists on these platforms.
Ransomware and writers
Sophos X-Ops even identified advertisements for English language writers on criminal forums, possibly hired to craft content for leak site “blogs” that showcase the groups’ attacks and highlight their coverage in mainstream media articles.
“Ransomware attackers are no longer simply hacking networks and systems—they’re attempting to ‘hack’ the public narrative. We saw this with the MGM hack, and even with the MOVEit attacks by Cl0P, when the group attempted to ‘set the record straight’ about purported inaccuracies in the media’s coverage of the attacks. For these threat groups, there’s several benefits to engaging with the press.
“It’s not only an ego boost for them but improves their notoriety—and makes them a more desirable ‘employer’ for criminals. It’s also shown to be an effective method for pressuring victims”, says Christopher Budd, Director, Threat Research, Sophos.