Fake ransomware demands payment without actually encrypting files

Fake it till you make it ransomware groups are trying to get rich off the backs of genuine ransomware authors. Why are they “fake it till you make it”? Because they don’t actually create ransomware or compromise networks in any way. They’re simply lying through their teeth and hoping that recipients of their messages don’t realise until it’s too late.

As reported by Bleeping Computer, a group named Midnight has been using this tactic since at least March 16, and the organisations affected all seem to be located in the US. 

The battle plan of a fake ransomware group

The general approach is as follows:

• Claim to be a different, genuine ransomware group. If the scammers claim to be some sort of obscure (but known) affiliate or spin-off, so much the better. The target will confirm the group exists with a quick Google search, but won’t be able to do much more beyond that.
• Use a panic inducing email subject. “Notifying you about your business’s security case, we accessed your information” is one example given.
• The bigger the theft claim, the better. They talk of accessing HR records, employee records, personal and medical data. In one “attack” 600GB of data was supposedly taken from business servers.
• Targeting genuine victims by accident or design. Some businesses targeted by the fakers had indeed suffered a ransomware attack of some kind previously. Either the scare tactic mails are being blasted out to a large audience to see what comes back, or there is some deliberate targeting of organisations going on.

Nothing new, but potentially disastrous all the same

Fake mails are nothing new. 18 years of one 419 mail is as good an example as any. Send enough emails out and somewhere will fall for it eventually. The bogus ransomware extortion attempt even has a name, in the form of “Phantom Incident Scam”.

Even so, this is an area of attack where having a good response strategy for people hoping you’ll fall for a technology based lie is very effective. If your incident response consists of opening up one of these missives, panicking, and racing to pay fraudsters, it could end up being a very costly and needless mistake. Whether you’re aware of your organisation having had a genuine breach or not, someone on a chart as a point of contact for such an eventuality will come in very handy indeed.