On October 22, the Groove ransomware collective called on its “business brothers” to “stop competing, unite and begin to destroy the US public sector.” Shortly thereafter, the threat actor behind Groove Ransomware, whose alias is “boriselcin” or “Orange,” released a statement in which they highlighted the “hoax” behind the Groove ransomware: It was never about holding organizations ransom; it was a social engineering experiment.
The author of all posts on Groove’s blog claims that it’s a one-person operation. Furthermore, the threat actor affirm that “Groove gang doesn’t exist” and the goal of the project was to “check whether it was possible to manipulate the Western media through a ransomware blog.”
Related reading: REvil Continues Its Reemergence, Joins Groove-led RAMP Forum
Additionally, the threat actor behind Groove Ransomware adds a brief review on partnering with several different affiliate programs they worked with after Babuk split up in May 2021, noting “it is better to work with… LockBit, Hive and BlackMatter” and calling the Hello Kitty, Conti, and Nefilim Ransomware collectives ‘extremely shady guys.'”
In its October 22 post, Groove called for a fight against Russian and FSU InfoSec companies who are “being sold to the Americans” and warned against attacking China and Chinese-affiliated entities with whom Russian-speaking threat actors should maintain friendly relations.
Earlier on the same day, Groove posted a list of logins and passwords that were supposedly the VPN credentials of the Hagerstown, Maryland Police Department, although it is unclear if these credentials are viable. Additionally, the Groove mastermind claimed to have access to several other undisclosed police departments.
This is not the first time that Russian-speaking threat actors have created false impressions in the media about their goals or capabilities. In 2020, in the run-up to the US presidential election, a user of XSS shared a publicly available voter database on the forum, which was interpreted by a Russian newspaper and consequently by some Western media outlets as potential election meddling.
Mocking Western media outlets and reporters is a constant fixture of the conversation on top-tier illicit forums. Recent developments around the REvil ransomware collective and ongoing talks between the US and Russia on cybersecurity have led to fears that Russian authorities may cooperate with US law enforcement against certain cyber threat actors in order to achieve concessions in other fields.
However, Flashpoint analysts assess with moderate confidence that most ransomware collectives remain motivated primarily by financial gain. Flashpoint analysts are tracking the situation and will provide updates as necessary.