The 'Groove' Ransomware Group Was a Fraud

In September, several media warned about the advent of "Groove," a new ransomware group that urged rival extortion gangs to band together to attack US government interests online.

Groove looks to have been a large-scale fake intended to fool security firms and media.

What is Groove?

Groove was first announced on RAMP, a new and relatively exclusive Russian-language darknet cybercrime forum, on August 22.

In the first week of September, Groove published approximately 500,000 login credentials for customers of Fortinet VPN products, including usernames and passwords that could be used to access vulnerable servers on its darknet blog remotely.

According to Fortinet, the credentials were gathered from systems that hadn't yet installed a May 2019 patch.

GROOVE is, first and foremost, a financially driven criminal group that has been engaged in industrial espionage for nearly two years. Let's be clear: we don't do anything without reason so that this contest will benefit us the most at the end of the day.

RAMP's administrator "Orange" wrote in a post inviting forum members to enter a competition to design a website for the new group.

"In our difficult and troubled times, when the US government is trying to fight us, and I urge all partner programs to stop competing to unite and start to destroy the Russian sector of the United States, to show this dementia old man who is the boss who is the boss and will appear on the Internet while our boys were dying on mini ports Sachiko from rude alibi squeezed his own ... but he was rewarded with higher and now he will sit for treason, so let's help our state fight such ghouls as cybersecurity firms that are sold to gamers, like US government agencies, I urge you not to attack Chinese companies. After all, where do we need to worry if our homeland suddenly turns away from us only to our good neighbors - the Chinese! I BELIEVE THAT ALL ZONES IN THE US RUN UP ALL NIGS see and FU** this FUCK** BAIDEN IN EVERY GREATER, I will personally make an effort to this"

McAfee's Report about this Ransomware!

According to a McAfee report, Orange launched RAMP to appeal to ransomware-related threat actors who had been kicked out of major cybercrime forums for being too toxic or to cybercriminals who had been short-changed or stiffed entirely by various ransomware affiliate programs.

According to the report, RAMP arose from a feud between members of the Babuk ransomware gang, and its members were likely linked to another ransomware group known as Backmatter.

[McAfee] thinks, with high confidence, that the Groove gang is a former affiliate or subset of the Babuk gang, eager to engage with other parties for financial advantage,

according to the study.

As a result, a link to the Backmatter gang seems likely.

Says McAfee.

Groove just trolled Security and Media researchers!

While it's possible that a single actor created Groove to troll security researchers and the media, cyber intelligence firm Intel471 believes it's more likely that the actor's attempt to form their ransomware group didn't go as planned.

It's also important to remember that any Ransomware-as-a-Service gang's identity and nature aren't always clear, and the membership makeup or affiliates of these gangs can be fluid.

Despite this, we believe "boriselcin" operated the Groove blog and the RAMP forum, based on our research from multiple sources, which includes but is not limited to observations of shared infrastructure and victimology.

This person is a well-known member of the Russian-language cybercrime community with ties to several ransomware gangs, and he offered $1000 in August for someone to design a Groove ransomware victim-shaming blog.

We are skeptical of the actor's claims that Groove was an elaborate hoax from the start, though we wouldn't be surprised if he makes more claims like this in the future.

The Fraud and its short Existence

Groove only listed a few victims on its darknet victim-shaming blog during its brief existence, leading some to believe the group wasn't much of a threat.

When a cybercriminal forum or business is discovered to be a hoax or a scam, we usually learn that it was all part of a sting operation carried out by federal investigators from the United States and/or other countries.

Perhaps the reason we don't see more scams like Bricklin's is that there isn't much money involved. That isn't to say that his cynical ruse doesn't have a larger purpose.

Several ransomware gangs have reinvented themselves and rebranded in recent years to avoid prosecution or economic sanctions.

From that perspective, anything that creates confusion and diverts media and security industry attention away from real threats is a net plus for cybercriminals.

Groove is a low-level actor with few skills.