Fake extortionists are piggybacking on data breaches and ransomware attacks to threaten American businesses with publishing or selling allegedly stolen data unless they get paid. Sometimes, the perpetrators also threaten victims with a Distributed Denial of Service (DDoS) attack if they do not follow the instructions. The attackers use the alias Midnight and have been targeting American businesses since at least March 16. They have also claimed to steal hundreds of gigabytes of critical data while posing as other ransomware gangs in emails. In one incident, the threat actors claimed to be the Silent Ransom Group (SRG). The SRG, also known as Luna Moth, is a branch of the Conti syndicate that specializes in data theft and extortion of the victim. However, a different threat actor known as the Surtr ransomware gang was referenced in the subject line of the same email message. According to corporate investigation firm Kroll, starting on March 23 organizations began submitting more reports of emails received from the Silent Ransom Group. The authors utilize the names of well-known cybercriminals to scare and give legitimacy to the threat.
The increased number of emails sent in the weeks leading up to March 24 and the fraudulent emails sent by the Midnight group impersonating Surtr and SRG are both supported by a new report from incident response company Arete. The incident responders noticed that Midnight specifically targeted businesses that were victims of ransomware attacks in the past. According to Arete’s experts, the earliest attackers included QuantumLocker, aka DagonLocker, Black Basta, and Luna Moth. Although the method of victim selection is unknown, they might use publicly accessible materials. However, Arete noticed that threat actors were able to identify some ransomware victims even when the information was not accessible publicly. Presumably, this indicates cooperation between the gang and the initial intruders. Ransomware criminals also sell the victim’s data even if they get paid. The Midnight group might learn about ransomware victims if they have access to markets and forums where this data is bought and sold.