Pretend extortionists are piggybacking on knowledge breaches and ransomware incidents, threatening U.S. firms with publishing or promoting allegedly stolen knowledge until they receives a commission.

Typically the actors add the menace of a distributed denial-of-service (DDoS) assault if the message recipient doesn’t adjust to the directions within the message.

Unhealthy actors

The attackers behind this exercise use the identify Midnight and began focusing on firms within the U.S. since at the very least March 16.

They’ve additionally impersonated some ransomware and knowledge extortion gangs in emails and claimed to be the authors of the intrusion, stealing a whole bunch of gigabytes of essential knowledge.

In a single e mail to the worker of a holding firm within the trade of petroleum components, the menace actor claimed to be the Silent Ransom Group (SRG) – a splinter of the Conti syndicate centered on stealing knowledge and extorting the sufferer, also called Luna Moth. 

The identical message, nonetheless, used within the topic line the identify of one other menace actor, the Surtr ransomware group, first seen to encrypt firm networks in December 2021.

BleepingComputer discovered one other e mail from Midnight Group, professing that they had been the authors of the info breach and that they stole 600GB of “important knowledge” from the servers.

The messages had been despatched to the tackle of a senior monetary planner that had left the goal firm greater than half a yr earlier than.

Pending DDoS menace

A report in late March from the managed detection and response division on the Kroll company investigation and threat consulting agency notes that some senders of comparable emails additionally threatened with DDoS assaults.

Kroll investigators say that beginning March 23 organizations began submitting an elevated variety of reviews for emails acquired beneath the Silent Ransom Group identify.

It’s “a brand new wave of faux extorsion makes an attempt,” Kroll responders say within the report, including that the authors use the names of better-known cybercriminals in an try to intimidate and provides legitimacy to the menace.

Kroll has seen such incidents since 2021, though such exercise began in early November 2019, when non-paying victims additionally skilled DDoS assaults.

However, the assaults had been low-level DDoS and got here with the specter of bigger ones until the extortionists obtained paid.

Such incidents echo the exercise of an extortion group that in 2017 despatched DDoS threats to hundreds of firms beneath the names of notorious hacker teams on the time (e.g. New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Nameless).

Concentrating on ransomware assault victims

One other report from incident response firm Arete confirms Kroll’s observations about Midnight Group’s fraudulent emails impersonating Surtr and SRG and the bigger variety of messages delivered within the weeks earlier than March 24.

Based mostly on their visibility, although, the incident responders noticed that Midnight focused organizations that had beforehand been victims of a ransomware assault.

In response to Arete’s analysts, among the many preliminary attackers are QuantumLocker (at present rebranded as DagonLocker), Black Basta, and Luna Moth.

Arete says that at the very least 15 of their present and former shoppers acquired faux threats from the Midnight Group, which supported their knowledge theft claims with imprecise particulars.

It’s unclear how victims are chosen however one risk is from publicly accessible sources, such because the preliminary attacker’s knowledge leak website, social media, information reviews, or firm disclosures.

Nonetheless, Arete notes that the faux attacker recognized some ransomware victims even when the information was not publicly accessible, probably indicating collaboration with the preliminary intruders.

Ransomware actors usually promote the info they steal from victims even once they receives a commission. If Midnight Group has entry to the markets and boards the place this knowledge is traded or bought they may find out about ransomware victims which have but to reveal the cyberattack.

Empty threats since 2019

Midnight Group’s extortion rip-off will not be new. The tactic has been noticed in 2019 by ransomware incident response firm Coveware who calls it Phantom Incident Extortion.

Coveware explains that the menace actor tries to present credibility to the menace by utilizing knowledge that’s distinctive to the recipient goal, provides the strain of a pricey consequence, and calls for cost that’s far lower than the harm of public publicity.

All these three elements are the mainstays of a phantom incident extortion (PIE) and a transparent indication of an empty menace.

Coveware initially offered 4 examples of PIE scams and up to date the report solely just lately with a pattern e mail from the Midnight Group.

All three firms assess that Midnight Group’s threats are a part of a fraud marketing campaign. Arete’s try to interact with the actor resulted in no response or proof of stolen knowledge from the actor.

The advice is to rigorously analyze such emails to acknowledge the elements of a phantom incident extortion message and dismiss them as an empty menace.