U.S. companies threatened by fake data leaks

The Phantom Incident Extortion scam

Fake ransomware gang targets previous ransomware attack victims

Since at least March 16, a group of cybercriminals known as the Midnight Group has been targeting US companies, threatening to sell or publish stolen data unless they are paid. The attackers have taken advantage of data breaches and ransomware incidents, sending out bogus extortion emails to scare their victims into paying up. If the recipient does not follow the instructions in the email, the attackers threaten a distributed denial-of-service (DDoS) attack.

The Midnight Group's extortion scheme is not a new one. Coveware, a ransomware incident response company, identified the tactic in 2019 and dubbed it Phantom Incident Extortion.^[1] The threat actor attempts to give the threat credibility by using data that is unique to the recipient target, adds the pressure of a costly outcome, and demands payment that is far less than the damage of public exposure. All three elements are the foundation of a phantom incident extortion (PIE) and are a clear indication of an empty threat.

Coveware initially provided four examples of PIE scams, but only recently updated the report with a sample email from the Midnight Group. According to Coveware, the recommendation is to carefully examine such emails in order to identify the components of a phantom incident extortion message and dismiss them as a false threat.

Targets are organizations that have previously been ransomware victims

Incident responders have observed that Midnight Group targets organizations that have previously been victims of ransomware attacks based on their visibility. QuantumLocker (currently rebranded as DagonLocker), Black Basta, and Luna Moth are among the initial attackers, according to Arete's^[2] analysts. According to Arete, at least 15 of their current and former clients received bogus threats from the Midnight Group, which backed up their data theft claims with ambiguous details.

It is unknown how victims are chosen, but one possibility is that they are chosen from publicly available sources, such as the initial attacker's data leak site, social media, news reports, or company disclosures. Arete does note, however, that the fake attacker identified some ransomware victims even when the information was not publicly available, implying collaboration with the initial intruders.

Kroll Corporate investigation and Risk Consulting firm's report

According to a report released in late March by the Kroll corporate investigation and risk consulting firm's managed detection and response division, some senders of similar emails were also threatened with DDoS attacks.^[3] According to Kroll investigators, beginning March 23, organizations began filing an increased number of reports for emails received under the Silent Ransom Group name.

According to Kroll responders, it's “a new wave of fake extortion attempts,” and the authors use the names of well-known cybercriminals to intimidate and legitimize the threat:

This method is cheap and easily conducted by low-skilled attackers. Much like 419 wirefraud scams, the scam relies on social engineering to extort victims by placing pressure on the victim to pay before a deadline. We expect this trend to continue indefinitely due to its cost effectiveness and ability to continue to generate revenue for cybercriminals.

Once these bogus threats have been identified, businesses must deal with them appropriately. In most cases, the best course of action is to ignore the email and avoid engaging with the attackers. Responding to these emails may embolden the attackers, leading to more frequent and aggressive attacks. Companies should also implement robust cybersecurity measures, such as firewalls, antivirus software, and intrusion detection systems.

If the company chooses to respond to the threat, it must proceed with caution. The company should never give the attackers any personal or financial information. Instead, the company should make contact with law enforcement and report the threat. Law enforcement agencies can offer valuable advice on how to handle the situation and may be able to locate the perpetrators.