The week ransomware hackers played head games

The week ransomware hackers played head games

Two ransomware actors injected confusion into this week's cybersecurity news with scams, headfakes and likely outright fabrications.


Image created with Stable Diffusion.
Image created with Stable Diffusion.

Update: Since we wrote this post, the second group that played head games with us last week (see below), Mogilevich, outright admitted it was a scammer, saying, “None of the databases listed in our blog were as true as you might have discovered recently. We took advantage of big names to gain visibility as quickly as possible, but not to fame [sic] and receive approval, but to build meticulously our new trafficking of victims to scam.” As of 6 am ET on March 3, 2024, its leak site was not accessible.

At Metacurity, I try to weed out confusing, unsubstantiated, and poor-quality news reports. Still, this week has proved a challenge, given what have likely been several false maneuvers and outright fabrications by two ransomware players.

First, as we covered in our newsletter this morning, the LockBit gang, ostensibly reconstituted in some form after a severe smackdown by the FBI and international law enforcement authorities, moved up its payment deadline for payment by Fulton County to 8:39 a.m. on February 29 instead of March 2. The group said unless the ransom was paid, it would release the data it stole in its late-January attack, which affected a host of critical services across the county.

The files stolen by LockBit might also have posed potentially disastrous political ramifications given that one of Donald Trump's criminal federal trials is run by the Fulton County DA. In a rambling statement, LockBit said that "the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election."

The deadline came and went, and Fulton County was removed from the gang's leak site. During a press briefing after the deadline passed, Fulton County Commission Chairman Robb Pitts said that the county had not paid any ransom to LockBit, nor had any ransom been paid on their behalf. No data had been released at that point either.

These dramatic developments followed other, earlier confusing signals related to the Fulton County breach. The hackers originally set the deadline for 12:47 on February 16 and when that deadline had passed, removed Fulton County from its breach site, leading to speculation that the County had paid the ransom.

Four days later, the US and its partners announced a total gutting of the LockBit operation. (Brian Krebs has an excellent timeline of these events and flags a conversation he had with the gang's leader, LockBitSupp, who told Krebs up until the time of the February 29 press briefing that Fulton County had paid the ransom).

The reasons for the varying deadlines and statements are unclear, but "The first point is that ransomware operators are not to be trusted," Brett Callow, threat analyst at Emsisoft, told me. Callow speculates that "LockBit lost access to the data due to the [law enforcement] disruption, and they are now trying to scam some money out of Fulton County, hoping that Fulton hasn't yet worked out that they no longer have the data."

"They probably aren't thinking too clearly at the moment," he added. "And with a 15 million buck bounty on their heads, for that amount of money, their family and friends would be willing to knock them out and drag them across the border. It's desperate times. Their multimillion-dollar empire is spiraling down the toilet, and there are significant threats to that freedom. If I were a cybercriminal, I would not want to partner with them. I would not want to partner with any operation that had been compromised by law enforcement."

The second ransomware "group" playing head games this week was far less of a threat and much more likely a plain old-fashioned scammer.

Four head-fakes in February involving sophisticated targets

One startling ransomware story this week involved an alleged ransomware attack of gaming giant Epic Games, the developer of Fortnite and other leading gaming titles, which garnered dozens of stories and social media postings. The hacker involved is a little ransomware actor known as Mogilevich, of suspected Russian origin.

The threat actor's name evokes Russian organized cybercrime boss Semion Yudkovich Mogilevich, who is on the FBI's most wanted list for his role in a multi-million dollar scheme to defraud thousands of investors in the stock of a public company incorporated in Canada but headquartered in Newtown, Bucks County, Pennsylvania, between 1993 and 1998. The United States Government is offering a reward of up to $5,000,000 for information leading to Mogilevich's arrest.

But, despite the purported hacker Mogilevich's claim that he had contacted Epic Games for payment, the company denies it. The company also said there is "zero evidence" that its systems had been hacked and that 189GB worth of data was stolen, as Mogilevich claims.

Mogilevich also claims they hacked Ireland's Department of Finance (DFA) and stole 7GB of data. DFA also denied the hacker's claim, saying, "At this point, there is no evidence of any breach of DFA ICT security infrastructure."

Unlike the hugely successful LockBit, Mogilevich appears to be a one-person operation that engages in trying to scam victims for a quick buck. "Anyone can throw up an onion site very quickly, post data from other data dumps, and claim to have breached companies that they haven't breached," Callow told me. "They appear to be scammers. There appears to be absolutely no substance at all behind their claims."

From Mogilevich’s leak site.
From Mogilevich’s leak site.

Since February 20, Mogilevich has also claimed a hack on Infiniti USA and claimed to sell the 22GB it stole from the company. The hacker has also claimed to have hacked on February 25 BazaarVoice, a publicly traded, leading platform connecting brands and retailers with their customers. Mogilevich claims to have stolen 30GB of data from the company. A search of the Security and Exchange Commission's database shows no reports of a data breach for BazaarVoice.

In the latest installment on its breach site, Mogilevich claims a hack of Bangladesh Police, which involved the theft of 13GB of data. (I contacted the Bangladesh Police for comment but heard nothing back).

Callow thinks the person or persons behind Mogilevich may be the same actors that were behind Ransomed.vc. This mostly attention-seeking group boasted of hacking Sony, a supplier to Colonial Pipeline and others, and the alleged victims said they were not actually hacked.

Given the amateurish nature of its breach site and its decided lack of a track record, it's puzzling why Mogilevich would think well-established and presumably sophisticated organizations such as Epic Games or Infiniti USA (which has a hotline for car owners to report cybersecurity issues), would even fall for the scams. "They're probably not even a group," Callow says. "It's probably just one idiot."

p.s. I will return to my sleuthing of the SEC’s SIM swap attack next week.

Read more