After the notorious Grief ransomware group added the National Rifle Association to its public list of victims, messages of the breach was reportedly amplified by a network of fake Twitter accounts. While it's still unclear if the network is connected to Grief, experts worry it could mark the beginning of information campaigns being added to the ransomware arsenal.
Ransomware actors often use a collection of stressors to squeeze every dime of profit out of their work. Beyond encrypting files, actors encourage victims to pay ransoms by threatening to leak files and launching simultaneous DDoS attacks. Last week, the Conti group started selling victim data rather than merely posting it, to monetize even the breaches where ransoms were not paid. And it isn't out of the ordinary for ransomware groups to try to embarrass companies into paying by contacting the media or a victim's clients.
"The amount of money they're making off of these negotiations and settlements is astounding," said Tom Richards, co-founder and chief strategy officer of Groupsense, a security firm with a prominent ransom negotiation practice. "So why wouldn't they, as entrepreneurs, invest a few thousands more for an amplification campaign, which is going to probably get picked up by the media, but also spread faster than the media stories might do to motivate their victim into paying?" News of the fake Twitter accounts was by the Daily Beast.
Information operations, which is a tactic often referenced in the military that includes the dissemination of propaganda in pursuit of a competitive advantage, would offer a new mechanism for that embarrassment — something Richards said can be effective. He has seen third-party attention force victims to scramble to make deals just to get it to stop.
There may be reasons that this kind of approach would not be broadly used. Attention and labor are limited resources that ransomware actors need to ration out.
"I'm not sure how often they can use this sort of strategy; for every client definitely," said Maria Gershuni, global intelligence analyst at Flashpoint. "I think this might be for something high profile. Creating and maintaining networks does seem rather labor intensive."
A lot goes into making fake Twitter accounts seem lifelike. The better the grift, the more time it takes.
The Daily Beast reported that many of the accounts were not created with much realism in mind. Many still had the default image as profile picture or had no followers outside the network. No one has attributed the Twitter accounts to any nation or group, though some had tweeted about prior Grief announcements in the past. The accounts have since been taken down.
The NRA case adds an additional wrinkle: There may be sanction implications dealing with the group Grief. Grief is an offshoot of the DoppelPaymer ransomware group that evolved from EvilCorp, said Gershuni. EvilCorp is sanctioned for connections with the Russian government, including for ransom payments.
"The fact that the NRA's ransomware event is being amplified, I think, will motivate the NRA, and that is very likely the intent for the grief group. But I don't know whether or not grief realizes it might actually complicate things for the NRA significantly," said Richards.
Grief's connection to EvilCorp has created a lot of speculation about what the NRA will do. Not paying the ransom could mean the leak of the organization's most tightly held secrets. Paying the ransom would violate sanctions, and it would be readily apparent if Grief's did not leak the files.
If the NRA did pay, they would be counting on Grief not to indefinitely extort them for violating sanctions. Richards said that might be a good bet. Ransomware is a reputation-based business, and actors might have more to lose in the long run by crossing the NRA. For entrenched groups, moving on might be in their best interest.
"Ransomware groups are kind of like chain restaurants. They're all about turnover. You sit down, they've got it mastered. You know that you're getting your drink in 42 seconds and you're being asked if you'd like it after one bite. Ransomware groups, too — All about turnover and just cashing in," said Richards.