{"id":7197,"date":"2025-02-04T13:40:10","date_gmt":"2025-02-04T19:40:10","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/cybercriminals-traitorous-insiders-ransom-notes"},"modified":"2025-02-04T13:40:10","modified_gmt":"2025-02-04T19:40:10","slug":"cybercriminals-court-traitorous-insiders-via-ransom-notes","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/04\/cybercriminals-court-traitorous-insiders-via-ransom-notes\/","title":{"rendered":"Cybercriminals Court Traitorous Insiders via Ransom Notes"},"content":{"rendered":"
<\/a><\/div>\n

Ransomware actors are utilizing a previously unseen tactic in their ransomware notes: posting advertisements to solicit insider information.<\/span><\/p>\n

Researchers at the GroupSense threat intelligence team shared their findings with Dark Reading, including screenshots of the strategies these gangs are using. Groups including Sarcoma and another syndicate believed to be impersonating <\/span>LockBit ransomware<\/a><\/span>, known as DoNex, have adopted the strategy, the firm noted.<\/span><\/p>\n

Part of one ransomware note includes the usual details stating that the company is in critical condition, its backups destroyed, and databases exported. Farther down in the message, however, the group states: “If you help us find this company’s dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us.”<\/span><\/p>\n

\"Sarcoma-advertisement.jpg\"<\/p>\n

A ransom note from Sarcoma group. source: GroupSense<\/p>\n<\/div>\n

In a different ransom note, the threat actors write: “Would you like to earn millions of dollars $$$ ?\u2028 Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.\u2028 You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc.\u2028”<\/span><\/p>\n

Related:<\/span>Fake Videos of Former First Lady Scam Namibians<\/a><\/p>\n

\"Lockbitdupe-advertisement[18].jpg\"<\/p>\n

A ransom note from a threat group impersonating LockBit. Source: GroupSense<\/p>\n<\/div>\n

The threat actors then go on to detail how those who are interested can open their letter and launch a virus on their work computer. The communication is done through Tox messenger so that the users privacy is “guaranteed.”<\/span><\/p>\n

Kurtis Minder, CEO and founder at GroupSense, notes that the company sees a variety of ransom notes in the course of incident response, however, it’s only been this past week that its researchers have noticed the “pseudo advertisements” at the bottom of these notes.<\/span><\/p>\n

“I’ve been asking my team and kind of speculating as to why this would be a good place to put an advertisement,” says Minder. “I don’t know the right answer, but obviously these notes do get passed around.” He notes that these threat actors may maintain a “why not” attitude toward incorporating such ads into their ransom notes. And when one ransomware actor starts a new tactic, the rest are quick to follow.<\/span><\/p>\n

But for any individuals interested in taking up such an offer from cybercriminals, it’s better to be safe than sorry.<\/span><\/p>\n

“These folks have no accountability, so there’s no guarantee you would get paid anything,” Minder adds. “You trying to capitalize on this is pretty risky from an outcome perspective.”<\/span><\/p>\n

GroupSense continues to look through past ransom notes to find any earlier indication of the trend, and Minder says he expects to find more ads in addition to those already discovered.<\/span><\/p>\n

Related:<\/span>Lynx Ransomware Group ‘Industrializes’ Cybercrime With Affiliates<\/a><\/p>\n

The news comes as <\/span>ransomware activity continues to grow<\/a><\/span>, with cyberattackers raking in hefty profits despite a rash of law enforcement actions over the course of the past year.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Ransomware actors are utilizing a previously unseen tactic in their<\/p>\n","protected":false},"author":12,"featured_media":7198,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-7197","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/cybercriminals-court-traitorous-insiders-via-ransom-notes.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7197"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7197\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/7198"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}