Threat Actor Claims 'Groove' Ransomware Gang Was Hoax

A Russian-speaking ransomware ‘group’ which called on rival entities to join forces in targeting the US government may have been a social engineering experiment designed to toy with Western media, it has emerged.

The so-called “Groove” collective published a post on October 22, exhorting its “business brothers” to “stop competing, unite and begin to destroy the US public sector,” according to threat intelligence firm, Flashpoint.

“In its October 22 post, Groove called for a fight against Russian and FSU infosec companies who are ‘being sold to the Americans’ and warned against attacking China and Chinese-affiliated entities with whom Russian-speaking threat actors should maintain friendly relations,” it said.

“Earlier on the same day, Groove posted a list of logins and passwords that were supposedly the VPN credentials of the Hagerstown, Maryland Police Department, although it is unclear if these credentials are viable. Additionally, the Groove mastermind claimed to have access to several other undisclosed police departments.”

A single actor, dubbed “Boriselcin,” soon after claimed that Groove was just an experiment they alone dreamt up to “check whether it was possible to manipulate the Western media through a ransomware blog.”

However, other researchers argued that Boriselcin may have thought up the hoax narrative because their original plan didn’t work out.

“This individual is a well-known member of the Russian-language cybercrime community with ties to a number of ransomware gangs and in August offered $1000 for someone to design a ransomware victim-shaming blog for Groove,” Intel 471 said in a statement send to Infosecurity.

“We are skeptical of the claims raised by the actor that Groove was an elaborate hoax from the beginning, although we wouldn’t be surprised to see further claims by the actor claiming this in future.”

If nothing else, the incident highlights the fluid and at times disorienting nature of the cybercrime underground.

What’s Hot on Infosecurity Magazine?