Sophos X-Ops delves into the intricate, at times uneasy, relationship between ransomware gangs and the media. It examines how threat actors are progressively striving to seize control of the narrative.
In the past, threat actors generally avoided interactions with journalists. While they may have monitored press coverage related to their activities, actively seeking attention was not their typical approach. Maintaining a low profile was often a higher priority for them. The notion of attackers routinely issuing press releases, making statements, or engaging in detailed interviews and debates with reporters seemed absurd—although, interestingly, they were occasionally willing to engage in public disputes with each other.
And then entered the ransomware gangs.
Ransomware has altered various aspects of the threat landscape, and a significant recent trend is its growing commoditisation and professionalisation. There’s ransomware-as-a-service; logos and branding (and even paying acolytes to get tattoos) and slick graphics on leak sites; defined HR and Legal roles; and bug bounty programmes. Accompanying all this – alongside the astronomical criminal gains and the misery heaped on innumerable victims – is a slew of media attention, and an increasingly media-savvy assortment of threat actors.
Contrary to the past practices of many threat actors who avoided media attention, certain ransomware gangs today actively embrace the opportunities it presents. These groups not only write FAQs for journalists visiting their leak sites but also encourage reporters to reach out, participate in detailed interviews, and even hire writers. Engaging with the media offers ransomware gangs both tactical and strategic benefits. It allows them to exert pressure on their victims while also providing a platform to shape the narrative, enhance their notoriety and egos, and further cultivate a mythicised image of themselves.
Certainly, the dynamics between ransomware actors and journalists are not always harmonious. Lately, Sophos has witnessed multiple instances of ransomware actors challenging journalists’ accounts of attacks and attempting to set the record straight, occasionally including personal insults directed at specific reporters. While this has broader implications for the overall threat landscape, it also affects individual targets directly. Organisations, in addition to grappling with the business consequences, ransom demands, and repetitional damage, now find themselves compelled to witness public clashes between ransomware gangs and the media—each incident generating more coverage and intensifying the pressure even further.
Sophos X-Ops undertook an examination of various ransomware leak sites and subterranean criminal forums to delve into the strategies ransomware gangs employ to manipulate the media and shape the narrative. This endeavor involves hacking not just systems and networks but also influencing the associated publicity.
Here is a concise overview of Sophos X-Ops discoveries:
- Ransomware gangs are aware that their activities are considered newsworthy, and will leverage media attention both to bolster their own ‘credibility’ and to exert further pressure on victims
- Threat actors are inviting and facilitating communications with journalists via FAQs, dedicated private PR channels, and notices on their leak sites
- Some ransomware gangs have given interviews to journalists, in which they provide a largely positive perspective of their activities – potentially as a recruitment tool
- However, others have been more hostile to what they see as inaccurate coverage, and have insulted both publications and individual journalists
- Some threat actors are increasingly professionalising their approach to press and repetitional management: publishing so-called ‘press releases’; producing slick graphics and branding; and seeking to recruit English writers and speakers on criminal forums
Sophos X’s aim in publishing this information are to explore how and to what extent ransomware gangs are increasing their efforts in this area, and to suggest things that the security community and the media can do now to negate those efforts and deny ransomware gangs the oxygen of publicity they’re seeking:
- Refrain from engaging with threat actors unless it’s in the public interest or provides actionable information and intelligence for defenders
- Provide information only to aid defenders, and avoid any glorification of threat actors
- Support journalists and researchers targeted by attackers
- Avoid naming or crediting threat actors unless it’s purely factual and in the public interest
Leveraging the media
Ransomware gangs are acutely aware of the media’s interest in their activities, often incorporating links to previous coverage of themselves on their leak sites. This not only strengthens their perceived legitimacy as a real threat for site visitors, including reporters and potential victims, but also serves as a possible ego boost in certain instances.
Figure 1: Vice Society thanks a specific journalist for an article in which it was part of a ‘Top 5’ of ransomware and malware groups in 2022
Figure 2: The Play ransomware group links to a Dark Reading article on its leak site
But some ransomware gangs aren’t content with merely posting existing coverage; they’ll also actively solicit journalists.
Collaboration
Take the RansomHouse group, for instance; they have a message on their leak site explicitly targeting journalists. In this message, they extend an offer to share information on a ‘PR Telegram channel’ before its official publication. RansomHouse is not the only one employing this tactic; reportedly, the LockBit ransomware group engages with journalists using Tox, an encrypted messaging service (with many ransomware gangs listing their Tox ID on their leak sites).
Figure 3: An invitation from RansomHouse
Figure 4: The RansomHouse PR Telegram channel
The 8Base leak site has an identical message (as other researchers have noted, 8Base and RansomHouse share other similarities, including their terms of service and ransom notes).
Figure 5: 8Base’s message to journalists
Rhysida’s contact form on its leak site addresses several groups of people. Interestingly, journalists appear first on this list, before ‘Recoveries’ (presumably referring to victims or people working on their behalf).
Figure 6: Rhysida’s contact form
On the Snatch leak site, the threat actor features a “Public notice.” Notably, item number eight on this list states, “Snatch is open to collaboration with any media to make data leakage situations shared and visible to a wide range of people.” Similar to Rhysida, journalists are prioritised before victim negotiations on this list.
Figure 7: Snatch’s ‘Public notice’
On the leak site of Vice Society, the threat actor acknowledges, “There are many journalists asking questions about us and our attacks.” The message extends to include a comprehensive FAQ section tailored for reporters. This includes a request for journalists to furnish their name and media outlet, along with specifications about questions the group opts not to answer. Interestingly, for reporters facing tight deadlines, the threat actor assures that they strive to respond to queries within 24 hours—an instance of adhering to professional PR best practices, underscoring its significance to the threat actor.
Figure 8: Vice Society’s FAQ for journalists
As mentioned earlier, a significant portion of these actions is likely undertaken for the sake of boasting and enhancing criminals’ credibility and notoriety. This, in turn, can indirectly intensify the pressure on victims. However, certain groups are more overt in their intentions. For instance, Dunghill Leak explicitly informs victims that if they fail to make payments, they will take various actions, including disclosing data to the media.
Figure 9: Dunghill Leak’s warning to victims, including a threat to send data to the media
Although not covered extensively in this article, it’s noteworthy to mention the final line: Dunghill issues a threat to “invite various law firms to take up a group case.” While ransomware class action lawsuits are not unprecedented, they might become more prevalent in the future.
In a similar vein, we observed a user posting on a prominent criminal forum about a company which had been the victim of a data breach. The user stated that negotiations had broken down, and offered to provide “the entire negotiation exchanges” to “verified press or researchers” – and also noted that “for those who wish to partake in litigation…you can use the below snippet of the negotiations.” This is one of the ways in which ransomware actors are shifting their strategies, using multi-pronged weaponization (publicity, lawsuits, regulatory obligations) to exert further pressure on victims. For instance, ALPHV/BlackCat recently reported a victim to the Securities and Exchange Commission (SEC) for not disclosing a breach – something which some commentators believe may become increasingly common.
Figure 10: A post on a criminal forum, regarding a data breach
Other ransomware groups are keenly aware that they can apply added pressure on victims by introducing the possibility of media attention. Our Managed Detection and Response (MDR) team recently observed ransom notes from both Inc (“confidential data…can be spread out to people and the media”) and Royal (“anyone on the internet from darknet criminals…journalists…and even your employees will be able to see your internal documentation”), containing this particular threat.
Certainly, not all ransom notes make reference to the media, and many ransomware gangs maintain minimalist, straightforward leak sites that solely enumerate their victims without making direct appeals to journalists. However, some take a more direct approach by engaging with the media through interviews.
Interviews
Several ransomware actors have given in-depth interviews to journalists and researchers. In 2021, the LockBit operators granted an interview to Russian OSINT, a YouTube and Telegram channel. The same year, an anonymous REvil affiliate spoke to Lenta.ru, a Russian-language online magazine. In 2022, Mikhail Matveev (a.k.a. Wazawaka, a.k.a. Babuk, a.k.a. Orange), a ransomware actor and founder of the RAMP ransomware forum, spoke in detail to The Record – and even provided a picture of himself. And a few weeks later, a founding member of LockBit spoke to vx-underground (in which they admitted that they own three restaurants in China and two in New York.
In most of these interviews, the threat actors seem to relish the opportunity to give insights into the ransomware ‘scene’, discuss the illicit fortunes they’ve amassed, and provide ‘thought leadership’ about the threat landscape and the security industry. Only one – the REvil affiliate – gives a mostly negative depiction of the criminal life (“…you are afraid all the time. You wake up in fear, you go to bed in fear, you hide behind a mask and a hood in a store, you even hide from your wife or girlfriend”).
So, in addition to the motivations we’ve already discussed – notoriety, egotism, credibility, indirectly increasing pressure on victims – a further possible reason for engagement with the media is recruitment. By depicting ransomware activity as a glamorous, wealthy business (“the leader in monetisation,” as Matveev puts it), threat actors could be trying to attract more members and affiliates.
In the next feature we will take a look at Sophos’s report on:
- Press Releases
- Branding
- Recruitment
- When things go wrong
- An uneasy relationship
Acknowledgments
Sophos X-Ops would like to thank Colin Cowie of Sophos’ Managed Detection and Response (MDR) team for his contribution to this article.