Ransomware attacks — the scourge of businesses, schools, hospitals and other organizations — follow a familiar pattern. Shady criminals contact an organization, telling them their company or customer data has been breached, encrypted and/or exfiltrated. Pay us money, or we’ll publish your data. 

In 2022, some 41% of victims paid, according to cyber-intelligence firm Coveware, rewarding the extortionists for their efforts. (Payment is declining every year, down from 76% in 2019.)

That knowledge no doubt inspired lazier, less-skillful scammers into action. In the wake of ransomware attacks comes a new threat, which is… fake ransomware attacks. It’s just like a real attack, except the attackers are bluffing — they really don’t have the goods or the access to carry out their threats. 

The ransomware incident response company, Coveware, first identified the tactic in 2019. They call it “Phantom Incident Extortion.” 

Experts say we’re currently undergoing a new wave of fake extortion attempts, and it’s likely to continue. Fake attacks have the advantage for scammers of being vastly faster and easier and therefore can be committed at a massive scale by scammers without skills. Because of the ease of this attack, cybersecurity experts expect it to exist indefinitely. 

The “Midnight” Train to Extortion

A group that calls itself “Midnight” falsely presents itself as an actual ransomware gang, such as Silent Ransom or Surtr, in order to extort money from American companies. They send emails to the victim organization, claiming to have stolen hundreds of gigabytes of data. The attackers demand payment in exchange for not publishing the data (which they don’t actually have). In some cases, they threaten a catastrophic DDoS attack as well. 

“Midnight” isn’t alone. It’s just currently the best-documented example of how “Phantom Incident Extortion” plays out. 

How Fake Extortion Works

Because hacking is the hard part, fake extortionists replace breaching, encrypting and exfiltrating with shameless bluffing, which can be augmented by slights of hand. Here are some of the tactics: 

1. Show real data.

Malicious actors get their hands on some personal data through means other than breaching and exfiltration. For example, careless social media posters can overshare information about their relationship with a company, or threat actors can present publicly available data as stolen. That limited information can stand in for all customer data, which the attacker falsely claims to have stolen for the purpose of publishing if the victim doesn’t pay. 

2. Launch a DDoS attack.

DDoS attacks are easy to execute, and while it’s not easy to completely shut down an organization for long periods of time, a sudden rise in network traffic can accompany false claims that a network has been breached or is controlled by attackers. Or the threat of an easy DDoS attack may be added to increase the pressure to pay. 

3. Use malware to simulate encryption.

Some fake extortionists are using old-fashioned phishing attacks to trick users into installing a malicious payload. One real-world example is that attackers offer free pornography, which can be viewed by clicking on a link to a fake porn website. Clicking on the link downloads four executables and a batch file that copies the executable to the Startup folder. 

The malware finds all the data files it can and changes their names and extensions, then drops ransom notes saying that the victims have to pay or their files will never be unlocked. 

The malware then attempts to delete all system drives except the C:\ drive. 

The files aren’t actually encrypted. Only the filenames have been changed, and they’ll work fine if the names are changed back. 

The benefit of this con is that, instead of the hard work of breaching, encrypting and communicating with the victim, it’s an easy set-it-and-forget-it proposition where the bluff and demand are both fully automated. 

This attack generally aims at individual Windows user systems but is, in a way, worse than an actual ransomware attack. While only the filenames are changed, there’s no way to know the original file names. And when the attackers collect their ransom, they don’t follow up and restore the original filenames. They just take the money and run. 

4. Demand a low ransom.

One tactic common with fake ransomware attacks is an absurdly low ransom — in some cases, mere hundreds of dollars (payable in Bitcoin). 

The idea is that even if victims are pretty sure it’s a fake attack, the ransom amount is so low that they’ll pay in the spirit of “better safe than sorry.” 

The perpetrators’ “business model” is to make ransoms cheap but make up the difference in volume. 

How to Deal With Fake Ransomware Attacks

  1. Add knowledge about fake ransomware attacks to employee cybersecurity training. Emphasize anti-malware, anti-phishing and anti-social engineering understanding and techniques. 
  2. Conduct regular backups so ransomware attacks, both real and fake, can be remedied should they occur. 
  3. Maintain patches and security updates while using quality antivirus and anti-malware programs. 
  4. Embrace solutions like Security Information and Event Management to speed up remediation and threat discovery. 
  5. In the event of a ransomware attack, disconnect all connected devices and networks, then determine whether it’s real or fake. Look for tell-tale clues, such as low ransom demands, automated demands or files that are not really encrypted.

Understanding the growing scourge of fake extortion attempts means categorizing it not as a variant of ransomware but placing it into the buckets of malware, phishing and social engineering attacks. “Ransomware” is just the content of the con.

More from News

High-Impact Attacks On Critical Infrastructure Climb 140%

4 min read - Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years. Growing Threat to OT…

4 min read

AI Assistance Cuts Alert Triage Times in Half

4 min read - Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response. As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines…

4 min read

Congressman Proposes Act to Improve K-12 Cybersecurity

2 min read - When Iowa Congressman Zach Nunn served on the White House’s National Security Council, he witnessed the dramatic impact of cybersecurity incidents. Nunn became especially concerned about how cybersecurity crimes impact schools and their ability to educate students. He also realized how the growing threats have been making it easier to disrupt not only individual schools but entire school systems. “These are no longer attackers in basements or individuals who intend to do harm for a one-time profit,” Nunn told KGLO…

2 min read

Proven Methods to Prevent Human-Based Security Mistakes

4 min read - The most recent Verizon Data Breach Investigations Report reveals the human element continues to be a key driver of 82% of breaches, including social attacks, errors and misuse. Undoubtedly, human error generates massive security headaches. Meanwhile, the rate and cost of cyber breaches continue to climb. Why is it then that over half of employed people don’t have or don’t use security awareness training? Maybe security teams don’t believe in security training. Or maybe they don’t know exactly what kind…

4 min read