July 1, 2020

We’ve seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.

Often the rationale behind couching these events as newsworthy is that the attacks involve publicly traded companies or recognizable brands, and that investors and the public have a right to know. But absent any additional information from the victim company or their partners who may be affected by the attack, these kinds of stories and blog posts look a great deal like ambulance chasing and sensationalism.

Currently, more than a dozen ransomware crime gangs have erected their own blogs to publish sensitive data from victims. A few of these blogs routinely issue self-serving press releases, some of which gallingly refer to victims as “clients” and cast themselves in a beneficent light. Usually, the blog posts that appear on ransom sites are little more than a teaser — screenshots of claimed access to computers, or a handful of documents that expose proprietary or financial information.

The goal behind the publication of these teasers is clear, and the ransomware gangs make no bones about it: To publicly pressure the victim company into paying up. Those that refuse to be extorted are told to expect that huge amounts of sensitive company data will be published online or sold on the dark web (or both).

Emboldened by their successes, several ransomware gangs recently have started demanding two ransoms: One payment to secure a digital key that can unlock files, folders and directories encrypted by their malware, and a second to avoid having any stolen information published or shared with others.

KrebsOnSecurity has sought to highlight ransomware incidents at companies whose core business involves providing technical services to others — particularly managed service providers that have done an exceptionally poor job communicating about the attack with their customers.

Overall, I’ve tried to use each story to call attention to key failures that frequently give rise to ransomware infections, and to offer information about how other companies can avoid a similar fate.

But simply parroting what professional extortionists have posted on their blog about victims of cybercrime smacks of providing aid and comfort to an enemy that needs and deserves neither.

Maybe you disagree, dear readers? Feel free to sound off in the comments below.

51 thoughts on “Ransomware Gangs Don’t Need PR Help

  1. Brian Haugli

    Would never have heard of the linked cyber firm if it wasn’t for this article. Bleeping Computer, sure. But, who’s Cyble? That said, is it really that big of an “ugly trend of trumpeting”?

    1. L Thomas

      Nicely written article Kerb security, seriously cyble and others are proxies of ransomware group, helping them in their agenda.

      F fox in name of Cyber defender community. What value do they add by taking Criminals posting and reposting to promote themselves and criminals.

      Breach notification tugs are PR machines, there is no research here.

    2. Randy

      Check out the heavyweights they have https://cyble.io/ (you’ll have to scroll a bit). Take particular note of the coincidence that the advisor and acting CFO, and the full stack developer with 3 years experience developing web applications share the same surname. But at least we know they are an ace group because of how diverse, i.e., not-European that group is, because if we know anything, people of European origin would not be as good as these people.

  2. The Sunsine State

    Never pay the ransomware, always make backups.

      1. Catwhisperer

        Ah, what I would give for a thumbs up button…

  3. Nobby Nobbs

    Well spotted, Brian! Need to watch for this, thanks!

  4. Steve C#

    What? The news media being irresponsible?

    1. Rico

      No, not the news media in general, rather, a few who depend on sensationalism to attract readers and stay afloat.

      1. JCitizen

        What news outlet DOESN’T rely on sensationalize doing their business? They ALL rely on it, and they don’t mind lying or at least exaggerating the facts to get those ad revenues! At best it is yellow journalism at it finest!

        KOS doesn’t do that – he just reports the facts, and relies on accurate gum shoe, hard work to get to the bottom of the story; and also provide us with the technical details so we who are in IT security can analyse each situation for clues on defensive tactics and policies. That is a BIG difference.

        1. Dirk

          “What news outlet DOESN’T rely on sensationalize doing their business?”

          Krebs on Security, for one.

          1. JCitizen

            One up-vote and kudos to you sir! +1

  5. Phil

    My 1st dumb idea was ‘what if a few of these cyber-braggers are trying to steer the stock market towards a favorable trade or aquisition?’

    But I also agree totally, re-publishing these stories is giving free press to the criminals and helping grow their impact when their ‘clients’ see the bad news coming at them from all directions

    1. David Newman

      Most likely they’re shorting the stock.

    2. Rob D

      This is selling sensationalism on name of cybersecurity research, b hell.

      Even first grader can do better job than these attention seekers.

      You have 10s of them like cybleinc, promoting them and criminals

      But we have reminder even media only like them.

      Everybody loves sensational news.

    3. Arpit Ban

      Well said, no cybersecurity only sensationalism

      Stop it cyble and bleeping computers, you don’t have substance

  6. jdgalt

    You might want to coordinate with Troy Hunt of haveibeenpwned.com, who has been dealing with this question for a long time. HaveIBeenPwned is a site that lets you check to see if you’re included in data dumps he’s seen from breaches.

  7. PHP

    The cyber security firms needs to blow up the risk to get new customers. But I agree, if they have nothing new, then there is no need to do anything about it.

    In Denmark, we had a Cisco Security director on TV telling about a recent exploit of NemID, our national digital ID, with MFA. He focused on blaming one weak point, the vendor scheduled to be replaced, completely forgot to tell citizens how it could have been avoided.

    Here, the user used a public computer, used her SSN to login (you can pick an alias) so people with a keylogger could use that to identify her. Mistake 1.
    Then she used her cardboard gridcard for MFA. Mistake #2.

    The “hack” involved fishing gridcard out of users mailbox.

    If user had setup an alias up front, the user would not have been identifiable, and mailbox phishers would not know where to go. #1.

    She used her cardboard card. There is a MFA app instead with push notification. If she had used that, there would be no gridcard to pick from her mailbox. #2.

    If the focus had been here, the “Expert” would have helped the citizens, now it just became an attack on an already disliked company – Probably not using Cisco equipment.

    So even the expert companies like Cisco are having political agendas when going in the media, rather than helping Joe Average.

    1. JCitizen

      CISCO has just as many vulnerabilities as the competitors, so they don’t need to be talking. (in anyway that makes them look superior)

    1. JCitizen

      And if you have a Windows network, learn how to harden the system using the MMC/Active Directory configurations, and other mitigation.

  8. Outside The Marginals

    When will people realise that those who just republish other people’s press releases are not journalists?

    Just republishing a press release is not journalism; it is lazy and potentially damaging. Little more than rumour-mongering.

    A press release may inform a story but it can rarely be the story. A journalist has to own the stories they write which means they have to add value.

    1. JW

      Exactly. It’s like the “news” articles about famous people where all the “article” consists of is a collection of tweets and Instagram posts by other famous people.

  9. Matt

    Thank you for posting this! Dear cybersecurity ambulance chasers who love to be quoted with bold statements about what a company should have done (holistically), develop a solution that works and learn how to sell it better….you’re worse than lawyers.

    1. Randy

      Although this is just being a snarky juvenile, and you point us still valid, I don’t think you have an appreciation for just how broken the bigger system is before any lines of code or security controls are set. It would not surprise me one bit if the obscure solicitation to do the work on that site even had far superior offers from competent offerers, but after the diversity quotas (https://cyble.io/ is very diverse), and their frequent underbidding due to off-shored work of predictable quality, and quite plausible nepotistic corruption; all the competent offers are thrown out and you get this kind of situation.

  10. David

    I work for a huge corporate company in a tiny role in their IT department. Unlike previous jobs I have had, I have almost no way to make improvements or make suggestions. “Just do your job” seems to be the mantra here. That being said I have over 40 years of experience and have also thought security of our data was the most important. I am always the most concerned about security. Backups should be one of the top two or three concerns but it always gets pushed to the bottom of the pile. Until something happens, then suddenly it becomes important.

    I like to hear about postmortem reports as I use them to better educate myself and to hopefully, some day, be able to make a difference. Do I need to know about the bad guys (except when they get arrested)? No.

  11. Mahhn

    I feel a big part of the expanding crimes is that they tend to skip the human factor. That people without morals/ethics respect and empathy constantly bring people to ruin after a life time of work.
    These crimes are treated like a device got broken, not hundreds of thousands of peoples accumulated life’s work stolen from them. People closest to the criminals (writers, prosecutors, LE, judges) treat them as little more than technical wiz bags that did a nono. While these criminals are the ones facilitating destroy lives though financial destitution, lack of medical services. I’m not talking about the high risk daytrader, or bitcoin miner, that take their own chances, it’s the normal people that spend 40 hours a day for 40 years in a factory, hospital, fields working hard for that retirement. Then getting punished as if they accidently committed a crime. When they actually spent months to years working out how to screw over their fellow humans. I call for harsh punishment all the time, because I know that the lack there of (by proof of the crime rate) encourages more criminal action. Some people are not good, that is just the way it is. Facilitating evil people, marginalizing their crimes, light handed punishment with no justice for the victims. The problem is not Technology, though it is in constant improvement. It’s bad people that never improve as humans. If you don’t toss the bad apples out of the barrel, they will all rot – and that is where we are.

    1. JCitizen

      Totally agree; and sometimes I’d like to see the death penalty for those that attack health care concerns, as they are actually killing people with their dastardly deeds!

  12. John

    Information is critical here. You do a great public service to all of us in the IT industry by reporting on your stories. I learn a lot about why things happen, how they happen, what was the background and the response provided, by reading your stories.

    As an example, when Hackensack (northern NJ) was breached, information was impossible to come by. The organization reported nothing and other organizations in the healthcare industry (of which I am part of), could not learn from this episode. While I don’t recall you working on this story, you have highlighted other companies, service organizations, that fell victim in similar situations.

    When you highlight how the bad guys work and how companies can learn from it, it helps all of us who are trying to protect our organization.

    Keep the information coming ! Shine a light on the good and the bad – as it helps us prepare.

    I have worked as a senior leader in technology for many years and I am still learning.

  13. Lee

    I agree that we shouldn’t grandize these ransomware actors (evil, maze, anonymous, ect). They all got their notoriety from pumping their PR machine. However the news that are created from their acts should be a public service, especially when the company in question is a public company or a MSSP or similar. I think that more resources and focus needs to be placed on capturing these criminals. Imagine if a gang of people manage to sneak by the security of a fortune 500 company, hospital, university, city/state government, defense contractor and goes in and steals all the electronic equipments, whether its a IOT clock, Sensor, PC, Laptop, Server, Security Cameras, Door Locks, hospital patient care equipments, HVAC, lighting, proprietary plans/business docs, ect. Then leave a ransom note to say that it’s in a warehouse somewhere but the location would only be revealed with a paid ransom. What would the police do? Imagine if the gang are military officers from a nation state, what should the US do? Then do the same for these actors when they do damage/steals through the network.

  14. Tycho

    Is Cyble even a real company? There about us pages has zero useful info, their login page scores an ‘F’ in securityheaders.com and they don’t even have DMARC enabled. All of that information in only 5 minutes of OSINT.

    Not a good look for a security company. LOL

    1. bob

      they are a startup of less than a dozen people. they are a member of the forbes security council. it’s the media feeding the media and brian is giving them more attention.

      1. Goethe Tm

        Cyble and all others are shame in name of cybersecurity. All they know copy from somebody’s work, FUcking hell they have ML and AI engines to promote cybercrime 🙂 another Delhi fraud

      2. Huntum Reiko

        Ran a quick check on them using my connect in India…cyble has 4 guys operating from India. Claiming themselves as cybersecurity company. It is not even a proper company. A shared office address in Atlanta who operates from there, nobody I think.

    2. SayNoToCriminals

      Cyble Inc is an Indian start-up ran by Beenu Arora

      Mr. Arora is so bright that they used the alias Beenu throughout the hacking communities and in interactions! At one point collaborating with criminals. Which brings to question are they trading exposure of breaches in exchange for the hacked data?

      Beenu was/is a member of the Indian Cyber Warriors

      Beenu would make a good story for you Brian

      1. Matt Levin

        This cyble guy is another scammer from Delhi

  15. Anon

    News outlets should hold off publishing anything until they have confirmation from the victim company that any negotiations have come to an end, and they have confirmed the breach. Criminals already threaten to contact news outlets if payment is not made, why embolden and trumpet them further?

  16. Pete

    I agree that their story could have been better, but find it strange you singled out Bleeping Computer. They are hands down one of the best sources of ransomware info and have been invaluable to me over the years.

    There are also far more tech news sites that you could have linked to that provide no good purpose instead of spreading BS. I see that Callow person from Emisoft in almost every ransomware article about these leaks.

    Maybe security companies are to blame too?

    This is a peculiar article for sure.

    1. BrianKrebs Post author

      I’m a big fan of them too, Pete, which is why this story surprised me and I told their editor that as well. This is just the latest example, but there a number of other publications that have done this as well of late. Yes, security companies that push reporters to be quoted about the latest unverified victim share some of the blame, but in the end it comes down to the reporter and/or editor not to perpetuate it.

    2. Joe

      It is sad when a good publication slides into sensationalism.

      I remember being a fan of IFLScience, but they got worse and worse over time. Now, its in the Conspiracy-Pseudoscience category.
      Even though they still have very accurate articles, even with the majority being well sourced, they allowed crap into their publication. It is a sign of a rotting editorial process.

      One or two bad articles aren’t going to destroy the reputation. But rather, allowing a consistent stream of bad articles will degrade it over time. Even if 99% are good articles, it destroys trust when a reader has to question if this article is one of the crap ones.

      It is important for readers and other journalists confront the editors immediately. Because if they don’t know they are slipping, they will continue.

  17. Jim

    A thought provoking article. Do you pay the ransom, and learn to back up, or, not pay and let them publish your data? As a capitalist with customers, why should I give a **** about my customers!! Like pt Barnum,there is one born every moment., And unfortunately, the next time you hear of that company or person again in the press, the real story is lost. It’s all sensation. The other press, does not give us much of the back story, you will hear the name, the crime, and only if it’s a high profile crime involved, will you hear of a punishment or reward. But, to bring a warning of bad systems, to hear ms,appl, and cute robots change your settings, to hear of the latest gang attack on, where do you go? A news station? The news web? Yahoo? Drudge? The list is long, they cover everything from the latest sighting of bat boy to promoting their agenda. But, tech? I don’t want agenda, I want facts. What really happened is worth real action on my part. Good job Krebs.

  18. Wi Chen

    Great article BrainKerb! Love your title

    These sensational seekers shouldn’t be calling themselves as cybersecurity company.

    Cybleinc, securityaffairs and bleeping computers stop your bs.

  19. Blob Andrews

    Fantastic article BrainKerbs, very timely! These PR machines of cybercriminals should revisit their strategy and stop selling ‘breach monitoring hoax’

  20. Wayne

    I have been brought in to work a lot more ransomware cases then I care to think about. I wish that none of these cases would have lead to a ransom being paid, but that is not how it has worked out.

    Yes, some of the victims should have had better security (blocking RDP and dealing with phishing would address over half of the cases I have seen), and better backups would have helped in many cases. But I advise against beating up too badly on the victims. I specifically cringe at the statements made over and over again that backing up would have make ransomware a non-issue. This is short sighted for multiple reasons.

    First, even with a threat actor wandering around your network and messing things ups, back ups are way too easy to screw up. I have sat in way to many meetings where I am told confidently that they have backups, only to meet again the next day and learn that the backups were not what they thought they were. Sometimes, they found out that the backups simply do not work, or that since they rebuilt some key servers (or added new important servers) they never adjusted the backup process to account for the changes. Or they moved to a high speed/low drag replication system to get rid of the old nasty tape back up system they used to use (only to find that everything in the replication is encrypted just like the original). And more and more frequently, even reasonable backup systems are being identified and destroyed by the threat actor prior to or during the process of encrypting their systems.

    Second, the role of keeping people out of your environment should not be so easy to screw up. The major players have had decades to create secure systems that do not require teams of people to avoid them from falling over, and they have not done it.

  21. Paul Mikol

    I agree with you Cyberhero Krebs – this seems to be an extension of the fact that here is a reason why responsible security-minded people do no not publish exploits before contacting the powers-that-be including the manufacturer of the hardware/software at risk of being exploited…

    Great article, thanks Brian!

Comments are closed.