iTWire has been told that an individual claiming to be behind the Groove website on the dark web made the claim in a post on a dark web forum.
A reporter for The Record, a site set up by the CIA-backed Recorded Future, published a number of tweets about the fictitious gang, drawing on published reports by Bleeping Computer, an American site that devotes a great deal of coverage to ransomware groups.
Catalin Cimpanu wrote on 23 October: "... the Groove (former Babuk) gang called on other ransomware groups to attack the US government and US critical targets as revenge for the REvil takedown."
Brian Krebs, a former employee of the Washington Post, published a report on his website, but did not cite any sources.
iTWire wrote about Groove, after ransomware researcher Brett Callow from the security firm Emsisoft tweeted out a translation of a post threatening to attack Ukrainian entities for the extradition of Glib Oleksandr Ivanov-Tolpintsev (28 of Chernivtsi, Ukraine) over alleged conspiracy, trafficking in unauthorised access devices, and trafficking in computer passwords.
Groove was also mentioned in a story about the gang known as BlackMatter (formerly Darkside) moving some of its gains from ransomware attacks.
Cimpanu went further, saying: "I wouldn't take this call too seriously, Groove are low-tier actors with few skills."
The call he was referring to was one made by the fictitious Groove gang to attack US interests.
"But still, it shows that ransomware gangs have taken notice of the US' ability to simply take their servers and, in some cases, unprotected wallets (funds) if they get too annoying," Cimpanu added.
Bleeping Computer even published a translation of the rant by Groove.
But by far the biggest noise about Groove was made by security firm McAfee, which ran a post on 8 September headlined: "How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates."
The post, by its researchers Max Kersten, John Fokker and Thibault Seret, read: "McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup.
"These cyber criminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritised control of the ransomware itself."
Intel471, another security firm which often posts about what it calls the increasing threat from ransomware, also carried the same post as on the McAfee site. Coveware, a security company that helps in ransomware negotiations, was also part of the group that swallowed the alleged hoax.
Asked for his response to the claim about Groove being bogus, Callow said: "It's really impossible to say whether the individual or individuals behind Groove were attempting to spin a line to security companies and reporters or whether they were actually attempting to recruit affiliates.
"Put another way, there's no more or less reason to believe the current forum posts than there is the older website posts. Either could be true, or either could be bullshit.
"At the end of the day, ransomware actors will only say things they believe to be in their best interests, and very often those things will not be true."