Groove Operators Reportedly Ask Peers to Attack USAfter Law Enforcement Agencies Attack REvil, Gangs Show Solidary
The operators behind Groove ransomware are calling on other extortion gangs to join forces to attack the U.S. public sector, according to chatter seen on underground forums, reports malware research organization vx-underground, citing a blog posted by the gang on a Russian site.
The announcement comes after notorious ransomware gang REvil - aka Sodinokibi - recently suffered a massive outage due to the coordinated efforts of U.S. and foreign law enforcement agencies. (See: DarkSide Transfers $7 Million Worth of Bitcoin)
The gang has reportedly advised its peers to not target Chinese companies, as they say they may need a safe haven if Russia begins to take action against cybercriminals.
The group asked its peers to "show the old man" - U.S. president Joe Biden - "who is the boss and will be on the internet," according to the cybercrime watcher.
In May, Biden signed an executive order describing the government's plan to increase cybersecurity protection across the public and private sectors as well as secure the nation's digital infrastructure. The order is part of the Biden administration's response to a series of cybersecurity incidents that have occurred over the last several months.
Separately, multiple ransomware groups have taken to dark web forums to post anti-U.S. screeds and defend hacking organizations, according to NBC news, which says it has access to these posts.
Anthony Chadd, senior vice president of global sales at cybersecurity firm Neustar, tells ISMG that established cybercriminals calling on their peers for support highlights how "collaborative, organized and even open-sourced they are in their approach."
"Not only are cybercriminals selecting their targets together, they are openly discussing potential safe refuge. This all points to a more combined and thought-out approach by ransomware gangs," Chadd notes.
Impact of Law Enforcement Actions
Groove's post illustrates the impact that law enforcement actions are having on cybercriminal groups, says Erich Kron, security awareness advocate at cybersecurity firm KnowBe4.
"The post offers some insight into the mentality of these gangs, as the writer appears indignant about the arrest of a fellow criminal and the steps the U.S. government is taking to battle this threat," Kron tells ISMG.
According to NBC News, however, ransomware group Conti has posted that it is undeterred by the U.S. government's action and that ransomware actors are, in fact, the "true victims."
“First, an attack against some servers, which the U.S. security attributes to REvil, is another reminder of what we all know: the unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs,” the dark web blog post sys, according to NBC News. “With all the endless talks in your media about 'ransomware-is-bad,' we would like to point out the biggest ransomware group of all time: your Federal Government."
The Conti group also questioned if there was a law that legitimized such "indiscriminate offensive action," NBC News says.
Call to Tighten Defenses
John Fokker, head of cyber investigations for McAfee Enterprise's Advanced Threat Research team, says enterprises should use this warning as an opportunity to get ahead of adversaries and tighten their defenses.
“This could include the use of threat intelligence, which helps organizations predict and prioritize potential threats before preemptively adapting their defensive countermeasures, ensuring optimized security and future business resilience,” Fokker notes.
Deploying a security strategy that blends both zero trust and SASE approaches will help enterprises protect entry and data at every control point, he adds, saying, "This approach is particularly important as opportunistic actors evolve their tactics and will help to ensure organizations have the necessary barriers to protect against attacks of any size."
KnowBe4's Kron adds that since ransomware is most often spread through email phishing, ensuring that employees are trained to spot and report these emails is critical, as is having tested and protected backups to help recover quickly.
The Groove operation, which appears to have been created by former members of Babuk, in September claimed that it wouldn't limit itself to crypto-locking malware. At the time, it sought pentesters and other attackers with network-penetration experience, offering to give them a cut of all criminal proceeds.
Groove is reportedly tied to a cybercrime forum known as RAMP, headed by an individual who used the moniker "TetyaSluha" before changing it to "Orange." RAMP is also the acronym for Russian Anonymous Marketplace, an underground drugs market that Russian police shuttered in 2017. Orange claims the new version stands for "Ransom Anon Mark[et] Place."
Bleeping Computer had reported that Orange recently stepped down as the forum's administrator to pursue a new operation. A later post by the same actor further indicates that the threat actor is likely starting a new ransomware operation to target U.S. hospitals and government agencies, it says.
The publication also claims that Groove's recent post correlates with Orange's post saying that all U.S. interests would be targeted.