Cyber criminals traditionally and understandably shied away from publicity, but over the past few years, ransomware gangs have inverted this longstanding trope and are now actively courting journalists as they seek to influence and control the flow of information about their activities, put pressure on victims to cooperate, and even attract new gang members and affiliates.
This is according to a whitepaper published by researchers at Sophos, who have been tracking several of the world’s most notorious cyber extortion operations as they try to seize on the opportunities that a good review in the right newspapers can offer them.
Christopher Budd, director of Sophos’ X-Ops team, told Computer Weekly he became interested in how cyber criminal gangs are abusing the information space during the September 2023 Las Vegas casino hacks, which he described at the time as “the Ocean’s 11 of the cyber age”.
“One of the things in watching that that occurred to me is that it’s apparent that at least some of these groups are looking to operate not just in the technical space, but in the information space as well,” said Budd.
Among other things, some crews have been observed providing journalists with lists of frequently asked questions (FAQs), publishing press releases, encouraging reporters to get in touch, offering in-depth interviews with trusted writers, and even recruiting English speakers to write for them. Others have hit out over what they perceive as inaccurate coverage, criticising reporters for not getting their facts right.
Budd said that such engagement offered both a tactical and strategic advantage, enabling gangs to proactively shape the narrative and apply pressure to their victims, while inflating their own notoriety and egos and contributing to their own vainglorious personal mythologies. But ultimately, he observed, the objective is simple, and that is to make sure they get paid.
“At this point in time, these groups are well-organised, they’re basically businesses. The goal is to make money, so what can they do to make money more efficiently and more effectively?” said Budd. “Legitimate businesses figured out long ago that there are tactics in the information space that help to raise their visibility, help raise brand awareness, and motivate people to engage with their product. And everything I said there you can apply to cyber criminals.”
One tactic that legitimate businesses also deploy when dealing with the media is to attempt to control narratives and storylines by correcting perceived factual inaccuracies, and ransomware gangs are enthusiastically adopting this ploy.
During the Las Vegas attacks, the threat actor behind the intrusions hit back at what they claimed was inaccurate coverage by some outlets by publishing a 1,300-word article explaining how they hacked the victim’s systems. In its technical scope, this feature-length piece rivalled anything produced by a legitimate threat research team.
“They provided, essentially, a research posting that in many ways mirrors the type of postings my team does and that other security companies do,” said Budd. “You have to respect the quality of the technical detail that they provided in that it was, by industry standards, a solid write-up.
“It does highlight how the kind of information sharing that we as an industry have been doing for years, that it’s the right thing to do because it tells people what’s happening and what they need to know. But in this case they [also] released that information as an exercise to show that they knew what they were talking about. It was a communications tactic done to show their credibility and to assert control over the narrative in the information space.”
For defenders, this raises new concerns, said Budd. Historically, incident responders have been doing a largely technical job, playing a cat-and-mouse game of move and counter move, but now this game is also playing out in the information sphere and security practitioners, not being public relations professionals, may find themselves ill-equipped to respond.
As such, he explained, victim organisations cannot necessarily now rely on being the sole source of truth about a cyber attack when their attacker is prepared to be open about what they did, and organisations can no longer get away with statements that say no data was compromised when their attackers can readily expose this as a falsehood.
“What this means in practical terms is if you’re a breached organisation, your ability to control the narrative is now much more complicated because if you say you weren’t breached, the attackers have shown a willingness to say no, in fact you were, and here’s the proof,” said Budd.
“Organisations, as part of their planning for incident response, need not only good technical responses, but they need good communications responses.”
The responsible cyber reporter
For journalists covering the cyber security space, the increased willingness of ransomware gangs to proactively engage with the media is, at face value, welcome. What could be a more valuable scoop than an on-the-record interview with the cyber criminal at the heart of a big story?
But to engage with the cyber criminal ecosystem in such a way raises tricky ethical and philosophical questions similar in nature to those faced by other reporters who must engage with sensitive subjects, look to the growing political polarisation in the UK and other countries that has seen reporters criticised for their coverage of far right activists, for example.
The Sophos X-Ops team has provided a number of recommendations that those covering cyber security issues, whether as well-informed observers, expert bloggers, freelance or paid staff journalists, can adopt to report openly on ransomware gangs while doing their utmost to deny them the oxygen of publicity.
- Refrain from engaging with threat actors unless it’s in the public interest or provides actionable information and intelligence for defenders;
- Provide information only to aid defenders, and avoid any glorification of threat actors;
- Support journalists and researchers targeted by attackers;
- Avoid naming or crediting threat actors unless it’s purely factual and in the public interest.