Recent reports have uncovered that malicious actors are using fake extortion tactics to obtain funds from companies in America. The operators are pretending to be ransomware operators and piggybacking on real ransomware incidents and data breaches, threatening firms with selling on or publishing data they claim to have stolen unless they are paid a requested amount.
In some instances recorded, the operators add pressure to their demands with distributed denial-of-service (DDoS) attacks. These tactics are typically deployed when a chosen victim refuses to comply with the attacker’s instructions.
Masquerading as ransomware operators
The attackers responsible for the recently revealed activity are operating under the name “Midnight”. Investigators have discovered that they have been targeting companies in America from March 16 2023.
The actors have also pretended to be part of known data extortion and ransomware gangs in malicious emails, claiming ownership of multiple intrusions and stealing high volumes of critical data.
In an email that was sent to an employee of a petroleum additive holding company, the threat operator impersonated an operative of the Silent Ransom Group, a known faction of the infamous Conti syndicate, which focuses on data theft and victim extortion.
However, an identical message was discovered that pretended to be issued by the Surtr ransomware gang, another cybercriminal outfit which was witnessed encrypting company networks back in December of 2021.
The messages issued by the Midnight Group were sent to the email address of one of the target’s former senior financial planners, who had left six months before the mail arrived.
DDoS threats issued
In late March, a report was issued by Kroll corporate investigation’s division for managed detection and response. This report warned senders of the bogus ransomware emails also threatening victims with DDoS attacks.
Investigators at Kroll commented that from March 23, organisations began filing a rising number of reports for malicious emails received from an actor stating they were part of the Silent Ransom Group. The Kroll report defined the campaign as a brand-new wave of fake extortion attempts, adding that the operators were using the names of well-known threat actors to make their threats appear genuine and to intimidate.
The report commented:
“This method is cheap and easily conducted by low-skilled attackers. Much like 419 wire fraud scams, the scam relies on social engineering to extort victims by placing pressure on the victim to pay before a deadline. We expect this trend to continue indefinitely due to its cost effectiveness and ability to continue to generate revenue for cybercriminals.”
The corporate investigators noted that they had witnessed incidents of this kind since 2021. However, this specific activity started even earlier, at the start of November 2019, when victims who refused to pay up were subject to DDoS attacks.
While these attacks used low-level DDoS, the threat of a larger attack was implied should the extortionists fail to receive the payment they requested. DDoS attacks can cause havoc for companies, resulting in a loss of productivity and profit when sites are driven offline by a barrage of fake user requests that servers can’t cope with.