Cybercrime , Fraud Management & Cybercrime , Ransomware

Weaponized Lying: Unraveling RansomedVC's Business Strategy

Group Fakes Stolen Data, Has Ties to Ragnar Locker, Says Researcher Jon DiMaggio
Jon DiMaggio, chief security strategist, Analyst1

While ransomware groups rightly have a reputation for being morally and ethically bankrupt, many do play things straight with their victims. But RansomedVC is a notable exception. In some ways, it is "more dangerous" because of its expert ability to lie, according to researcher Jon DiMaggio.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Unlike larger groups, such as LockBit or Clop, with RansomedVC, "you just don't know what you're getting, or what you're dealing with, or whether you can trust them, because they lie often and they're so good at it," said DiMaggio, the chief security strategist at threat intelligence platform vendor Analyst1. "They are experts at using manipulation and media tactics to often claim that they've conducted attacks and have victim data they don't actually have."

As DiMaggio detailed in a new report, these lies have included regularly claiming to have crypto-locked victims' data, which it doesn't seem to have. In a case involving State Farm Insurance, RansomedVC claimed to have stolen customers' personal identifiable information, which multiple media outlets duly reported, but that appeared to be pure fabrication. In another case involving Japanese communications firm NTT Docomo, the ransomware group appears to have created an entirely fictitious set of stolen data, which it used to try and extort the victim.

This type of behavior might seem radical or foolhardy if it traced to a ransomware newcomer, DiMaggio said. But based on his discussions with both the group and its affiliates, he said the leader of RansomedVC, who went by the name "RansomedSupport" and now appears to use the handle "RaznatovicAdmin," appears to be a 40-something Bulgarian who previously worked with the Russian-speaking Ragnar Locker group, which was dismantled last October. Since then, the administrator appears to have rebooted RansomedVC - using the same infrastructure - as "Raznatovic," in apparent reference to a deceased Serbian gangster and suspected war crimes suspect.

In this video interview with Information Security Media Group, DiMaggio also discussed:

  • How the RansomedVC operation functions and the thinking behind its unorthodox approaches;
  • What drives ransomware players to speak directly to security researchers;
  • Takeaways for organizations hit by RansomedVC or its offspring.

DiMaggio has over 15 years of experience hunting, researching and documenting advanced cyberthreats. As a specialist in enterprise ransomware attacks and nation-state intrusions, he has exposed the criminal cartels behind major ransomware attacks, aided law enforcement agencies in federal indictments of nation-state attacks and shared his work at conferences such as RSA and Black Hat. In 2022, he authored "The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware and Organized Cybercrime," which received the SANS Difference Makers Award for cybersecurity book of the year.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.