After the notorious Grief ransomware group added the National Rifle Association to its public list of victims, messages of the breach was reportedly amplified by a network of fake Twitter accounts. While it's still unclear if the network is connected to Grief, experts worry it could mark the beginning of information campaigns being added to the ransomware arsenal.
Ransomware actors often use a collection of stressors to squeeze every dime of profit out of their work. Beyond encrypting files, actors encourage victims to pay ransoms by threatening to leak files and launching simultaneous DDoS attacks. Last week, the Conti group started selling victim data rather than merely posting it, to monetize even the breaches where ransoms were not paid. And it isn't out of the ordinary for ransomware groups to try to embarrass companies into paying by contacting the media or a victim's clients.
"The amount of money they're making off of these negotiations and settlements is astounding," said Tom Richards, co-founder and chief strategy officer of GroupSense, a security firm with a prominent ransom negotiation practice. "So why wouldn't they, as entrepreneurs, invest a few thousands more for an amplification campaign, which is going to probably get picked up by the media, but also spread faster than the media stories might do to motivate their victim into paying?" News of the fake Twitter accounts was by the Daily Beast.
Information operations, which is a tactic often referenced in the military that includes the dissemination of propaganda in pursuit of a competitive advantage, would offer a new mechanism for that embarrassment — something Richards said can be effective. He has seen third-party attention force victims to scramble to make deals just to get it to stop.