In the past, threat actors were not interested in engaging with journalists. They preferred to stay under the radar and avoid attention. However, with the rise of ransomware gangs, this dynamic has changed. Ransomware has become increasingly commoditized and professionalized, leading to a new breed of threat actors who actively court media attention. These ransomware gangs have embraced media engagement as a way to apply pressure on their victims and shape the narrative surrounding their activities. They write FAQs for journalists, give interviews, and even recruit writers. While this relationship is not always harmonious, with some threat actors disputing journalists’ coverage and insulting reporters, it has significant implications for both the wider threat landscape and individual targets.
Sophos X-Ops conducted an investigation into ransomware leak sites and underground criminal forums to understand how ransomware gangs leverage the media to control the narrative. They found that these threat actors are aware of the newsworthiness of their activities and actively seek media attention. Some ransomware gangs link to existing coverage on their leak sites to bolster their credibility. Others directly solicit journalists by offering to share information on private PR channels. Some even give interviews to provide a positive perspective of their activities and potentially recruit new members. On the other hand, some threat actors are hostile towards inaccurate coverage and insult publications and journalists.
Ransomware gangs are also professionalizing their approach to press and reputational management. They publish press releases, create slick graphics and branding, and seek to recruit English writers and speakers. This concerted effort to control the narrative and increase their notoriety has significant implications for the security community and the media. To counteract these efforts, Sophos X-Ops suggests refraining from engaging with threat actors unless it is in the public interest or provides actionable information for defenders. Information should be shared only to aid defenders and should avoid glorifying threat actors. The security community should support journalists and researchers targeted by attackers and avoid naming or crediting threat actors unless necessary.
Ransomware gangs leverage the media to bolster their credibility and exert pressure on victims. They actively solicit journalists and collaborate with them to share information before it is officially published. Some threat actors maintain FAQs for journalists and even threaten to send data to the media if victims do not pay. This multi-pronged weaponization, including publicity, lawsuits, and regulatory obligations, is used to further pressure victims. Raising the specter of media interest is a way to exert additional pressure on victims. Ransom notes often contain threats of data being spread to the media, and some ransomware gangs maintain minimalist leak sites that list their victims without direct appeals for payment.
In conclusion, ransomware gangs have embraced media engagement as a strategic tool to apply pressure to their victims and shape the narrative surrounding their activities. This has significant implications for the wider threat landscape and individual targets. By understanding how these ransomware gangs leverage the media, the security community and the media can take steps to deny them the oxygen of publicity they seek. Refraining from engaging with threat actors, providing information only to aid defenders, and supporting targeted journalists and researchers are some of the actions that can be taken to counteract these efforts.