Another new ransomware gang is making waves with an unconventional structure, its unique pedigree and an early victim.
A coalition of researchers on Thursday explained what makes Groove, a gang that quietly emerged in July with a website, different: Namely, it eschews the traditional ransomware-as-a-service hierarchy in favor of an opportunistic pledge that they’ll work with anyone as long as there’s money to be made.
The researchers — from McAfee Enterprises, Intel 471 and Coveware — traced the group’s origins to a likely split with the Babuk gang, part of a trend of turmoil within extortion groups that use the ransomware-as-a-service (RaaS) model where affiliates get to use an outfit’s malware in exchange for sharing profits. For instance, a disgruntled former Conti affiliate recently leaked the group’s attack playbook.
Already, there’s evidence the researchers uncovered that Groove has worked with another ransomware gang, BlackMatter, that likewise recently emerged. That group is thought to be an updated version of DarkSide, a Russia-based group behind the attack against Colonial Pipeline in May.
This week, Groove leaked 500,000 Fortinet virtual private network passwords. Also on Thursday, its website suggested that it would soon “demonstrate its capabilities” on U.S. President Joe Biden.
Fortinet said it was aware of the leaked credentials, and said they were obtained from systems that hadn’t yet implemented a patch issued in May of 2019. That vulnerability led to a U.S. government alert as recently as April. Fortinet published a blog post on the leak Wednesday.
A hacker going by the handle “Orange” set up a website, RAMP, in June. Orange bashed the Babuk gang, claiming credit for any of Babuk’s success with a behind-the-scenes organization called Groove. The researchers found further digital evidence connecting Groove to Babuk.
Groove’s emergence comes not only as cracks are forming in the ransomware-as-a-service model, but also after a number of high-profile ransomware groups disappeared and some cybercriminal forums banned advertisements for the hacking method. Unhappy former ransomware affiliates and others appear to be drawn to Groove.
“For some affiliates there was an opportunity to become competent cybercriminals while, for many others, the lack of recompense and appreciation for their efforts led to ill-feeling,” the researchers wrote.
“Combined with underground forums banning ransomware actors, this created the perfect opportunity for the threat actor known as Orange to emerge, with the Groove gang in tow, with the offer of new ways of working where an associate’s worth was based entirely on their ability to earn money.”