ArchiveOODA Original

Ransomware Hoax Spins Disinformation in a New Direction

On August 22, 2021, the “new” ransomware group Groove emerged on RAMP – a nascent but fairly exclusive Russian-language DarkNet cybercrime forum, according to Krebs On Security. Per a RAMP moderator called “Orange,” Groove was around for two years focusing their activities on financially motivated industrial espionage. However, what garnered substantial attention was Groove’s call to arms – calling on other extortion groups to attack U.S. interests after law enforcement shut down the group’s operations after an unknown entity hijacked their DarkNet domains. Notably, RAMP emerged after some individuals separated from the Babuk ransomware gang. “Orange” still operated Babuk’s TOR site, using it to launch RAMP. Per McAfee, Groove was intended to attract affiliate ransomware operators too unpredictable or too “toxic” for other groups and underground forums. Establishing its bona fides, Groove posted 500,000 login credentials for customers of Fortinet VPN products on its DarkNet blog.

However, what garnered substantial attention from the cyber security community was the publication of a missive by Groove on a Russian blog in which it requested the participation and cooperation of ransomware gangs to target the U.S. public sector. Of note, the blog acknowledged increased U.S. efforts to thwart the ransomware ecosystem as a primary catalyst for revenge and retribution. The blog cited the need for ransomware operators to avoid targeting Chinese organizations, as they would need a backup safe haven should Russia choose to stop providing cover for these criminal endeavors. The group was looking to recruit others for a fight.

At first blush, for a nonstate actor to take on the United States seemed incredulous. How could it not? Criminals were actively looking to create a confederation of like-minded groups to not make money but get revenge against a cyber power. Already the United States had identified ransomware as a national security threat. The Biden Administration has instituted several initiatives to include sanctioning cryptocurrency exchanges while imposing civil penalties on victims for paying ransoms to these criminals. The recent disruption of REvil operations further underscored taking the fight to ransomware operators. If the attention of U.S. law enforcement and intelligence apparatus was not enough, reporting indicates that other countries are getting into the mix. The United Kingdom’s signals intelligence agency GCHQ would be deploying hackers from the UK’s National Cyber Force to go after ransomware gangs. Add a joint 30-nation ransomware summit into the mix, and it’s clear that the potential pool of vast resources among governments could be levied against these groups, safe haven or not.

Notwithstanding, Groove’s call appears to be a hoax, at least according to one prominent cyber security blog. Per the blog, Groove’s DarkNet presence disappeared, and an “established” cyber-criminal using the handle “Boriselcin” allegedly created Groove in order to dupe the media and security industry. What’s more, the actor had been planning it for several months, crafting a clever ruse that played on the fears of ransomware that has proven a global scourge, impacting most if not all industries in the private and public sectors. It turns out the ultimate target of this narrative was not the United States, but the larger media and security community overeager to break stories and boost their own credibility. If Boriselcin’s claims are true, it appears egg is on their faces.

Since the hoax angle emerged, there seems to be an ongoing discrepancy about it. When Groove issued its call to arms, at least one security researcher opined that the group was not a significant threat based on the limited number of victims on its data leak site, an interesting criterion to form a judgment of overall capability. Another security company now believes that Groove is legitimate because Boriselcin is a credible presence in the underground. His ransomware operation just wasn’t successful. That too is an interesting conclusion based on an actor with an impressive reputation and “ties to several ransomware gangs.” It seems that people can’t help themselves from abstaining from comments before understanding the full picture. This is not to say they are not correct in their determinations, but they appear to have been quickly made on circumstantial evidence.

This leads us back to Boriscelin’s initial claims. Boriscelin may just be an experienced criminal who knew how to tell a story that would be eaten up and propagated throughout the global cyber security community. But that has value, especially in a climate where misinformation and disinformation are disseminated by nation-states, nonstate entities, political groups, ideologues, and anyone with a platform and an Internet connection. Framed in this context, what does this test case of “Cry Wolf!” tell us about how the cyber security news cycle works? Because knowing how to manipulate it and take advantage of the trust relationship made between producers of this information and customers just might be in a cyber-savvy nation state’s interest. And that seems to be a playbook worth exercising before it’s used in prime time.

Opportunities for Advantage

All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at and during our monthly OODA Network meetings and Salons.


Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.