By Chester Wisniewski
Cybercriminals traditionally operate in the shadows of the Darknet and prefer to avoid the spotlight to ensure the success of their campaigns that rely on stealth. However, in the face of the exponential growth of ransomware in recent years, the cyber threat landscape has undergone a radical transformation, to the point that some groups that exploit this type of attack are going so far as to implement specific communication strategies aimed at the media and the general public.
This revolution in the way of communicating is based above all on the obvious interest of this type of group: to push their victims to pay a ransom. To achieve this objective, all means are good, including increasing the pressure on their targets or exploiting the propensity of the press to cover exclusives to make itself known, recruit or restore a reputation tarnished by the supposed “biases” of the traditional press.
So how is the relationship between criminal organizations and the media characterized? Is it a confrontation, a more symbiotic relationship? What are the tactics and communication strategies that ransomware gangs employ to gain an advantage in the cyber field?
Taking advantage of Media [over] exposure to increase pressure on victims
It’s no secret that ransomware is making headlines, especially because of the increase in the number of attacks and the extent to which groups rely on this type of cyberattack are becoming more professional. In turn, cybercriminals are starting to realize the opportunities presented by the hype they receive.
For example, some groups decide to republish links to press articles on their blogs or websites in order to strengthen their position as a credible threat in the eyes of the public and their victims. Other gangs even go so far as to offer collaborations, such as RansomHouse, which communicates with journalists via encrypted messaging services.
These communication techniques are reminiscent of good practices in press relations or public relations used by legitimate companies. Of course, the main objective – apart from a possible need to increase their notoriety or boost their ego – is to put pressure on their victims, either by directly threatening to leak stolen data to the press, or by showing them that they represent a credible threat. Thus, communication with the media becomes a tool in its own right for criminals.
Strengthen Your Presence to Control the Narrative
A small number of small groups even go so far as to publish “press releases”. Often, these aim to correct “erroneous” information published in the press about their activities, in order to clarify their position. Sometimes, these communications aim to restore an organization’s image or to highlight alleged ethical values related to data privacy or the choice to “protect” data stolen from certain victims, such as hospitals, in order to highlight the organization’s “responsibility”. These articles aim to redesign their image by giving a more professional look to their organization.
Others go even further in professionalization, like Karakurt, who has a page dedicated to the publication of such communiqués. In these articles, they try to mimic the style and form of traditional press releases to highlight successful attacks, data leaks, or internal activities within the organization, such as recruiting new members. Another example is the Conti group, which was the subject of a vast data leak in the press in February 2022. They had a surprisingly similar organization to that of a company and even had a person dedicated to negotiations and writing “blogposts”.
Some members of ransomware gangs are also willing to engage in the exercise of interviewing journalists or researchers. In these interviews, they focus on describing the “glamorous” and lucrative aspects of their criminal activities.
Here again, all these activities are very similar to the communication strategies put in place by legitimate organizations in terms of branding. They allow cybercriminals to better control their image in the media and in the public eye by offering their own narrative – for recruitment purposes, for example. If these developments are still in their infancy, it would not be surprising to see some groups enlist the services of teams of press relations professionals in the future.
Between Mistrust and Reputational Damage: A Tumultuous Relationship
However, ransomware gangs have discovered the hard way that the relationship with the media is not necessarily an asset, especially if they are subject to too much attention that prevents them from operating. For example, ransomware groups and other malicious actors have already complained of “unfairly negative” press coverage, such as WormGPT, which had to shut down its operations, or the CI0p ransomware gang, which published communications “in order to set the record straight” in the face of what it considered to be “propaganda” from the BBC.
It is important to note that the cybercriminal world still maintains a certain mistrust of the press and the media, due to many journalists supposedly “infiltrated” on discussion forums. This has even led some actors to hijack the image of journalists [photos, profiles, etc.] or researchers in order to put pressure on these targets. Even organizations like Lockbit, which seemed to be the most inclined to engage in conversation with the press, viewed journalists as adversaries who “make up” and spread false information about them.
Ransomware gangs are now aware that the attention they receive and their reputation with the public and their potential victims are not all downsides. Some of them have therefore begun to exploit these opportunities by implementing communication strategies and techniques similar to those of companies with the media. However, their relationship with the media remains ambiguous, to say the least, and the mistrust that underlies it suggests that they will encounter difficulties in occupying the same space or really exploiting the same communication strategies as legal and legitimate companies.
(Chester Wisniewski is Director, Global Field CTO at Sophos).
Be the first to comment