Fake ransomware demands payment without actually encrypting files

Fake it till you make it ransomware groups are trying to get rich off the backs of genuine ransomware authors. Why are they “fake it till you make it”? Because they don’t actually create ransomware or compromise networks in any way. They’re simply lying through their teeth and hoping that recipients of their messages don’t realise until it’s too late.

As reported by Bleeping Computer, a group named Midnight has been using this tactic since at least March 16, and the organisations affected all seem to be located in the US. 

The battle plan of a fake ransomware group

The general approach is as follows:

  • Claim to be a different, genuine ransomware group. If the scammers claim to be some sort of obscure (but known) affiliate or spin-off, so much the better. The target will confirm the group exists with a quick Google search, but won’t be able to do much more beyond that.
  • Use a panic inducing email subject. “Notifying you about your business’s security case, we accessed your information” is one example given.
  • The bigger the theft claim, the better. They talk of accessing HR records, employee records, personal and medical data. In one “attack” 600GB of data was supposedly taken from business servers.
  • Targeting genuine victims by accident or design. Some businesses targeted by the fakers had indeed suffered a ransomware attack of some kind previously. Either the scare tactic mails are being blasted out to a large audience to see what comes back, or there is some deliberate targeting of organisations going on.

Nothing new, but potentially disastrous all the same

Fake mails are nothing new. 18 years of one 419 mail is as good an example as any. Send enough emails out and somewhere will fall for it eventually. The bogus ransomware extortion attempt even has a name, in the form of “Phantom Incident Scam”.

Even so, this is an area of attack where having a good response strategy for people hoping you’ll fall for a technology based lie is very effective. If your incident response consists of opening up one of these missives, panicking, and racing to pay fraudsters, it could end up being a very costly and needless mistake. Whether you’re aware of your organisation having had a genuine breach or not, someone on a chart as a point of contact for such an eventuality will come in very handy indeed.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

https://blog.malwarebytes.com/feed/