Security Market Segment LS
Thursday, 04 November 2021 08:23

Groove gang fraud claim appears to have come from security firm Featured

Groove gang fraud claim appears to have come from security firm Image by Gerd Altmann from Pixabay

A blog post published by the security firm Flashpoint on 22 October appears to have been the starting point for the claim that a supposedly new ransomware gang Groove was a hoax and one designed to make both security firms and the media look foolish.

Flashpoint said in the anonymous post: "On October 22, the Groove ransomware collective called on its 'business brothers' to 'stop competing, unite and begin to destroy the US public sector'.

"Shortly thereafter, the threat actor behind Groove Ransomware, whose alias is 'boriselcin' or 'Orange', released a statement in which they highlighted the 'hoax' behind the Groove ransomware: It was never about holding organisation’s ransom; it was a social engineering experiment."

This statement appears to have been fed to some media outlets, as iTWire can best judge. At least one among them, a site run by former Washington Post employee Brian Krebs, used a sizeable amount of information from the post, but did not acknowledge the source.

Flashpoint is a competitor to both McAfee and Intel471, both of which took the Groove gang seriously, as iTWire pointed out in a report on Wednesday, which acknowledged the fact that we also gave the Groove group some publicity.

Somewhat surprisingly, the Flashpoint post included a link to an earlier post headlined "REvil Continues Its Reemergence, Joins Groove-led RAMP Forum", about the re-appearance of the REvil ransomware group in July. That post actually gave some credibility to the claim that Groove was an actual ransomware gang.

REvil was allegedly attacked by a number of law enforcement groups and disappeared from the dark web in the third week of October. It had earlier disappeared in May but re-appeared in July.

Another site, Data Breaches, took something of a middle path about Groove, saying it was more likely that the group was reframed as a hoax, when its attempts at ransomware operations were not successful.

This "hypothesis seems a bit more plausible than it starting as a total hoax because neither Robinwood, TriValley, nor Hagerstown Police Department have actually refuted claims that they were compromised, have they?" the site, which is claimed to be run by a licensed health care professional, said, referring to three attacks that were claimed by Groove.

The most interesting part of the Data Breaches post was that the site had been given "evidence" to prove that Groove was a hoax. "But in one of the most bizarre stories concerning Groove, was given some alleged evidence that Groove were fraudsters," the post said.

"The 'evidence' was provided by someone who purported to be with a top-tier ransomware group. According to this person, when Groove wasn’t paid by victims, Groove would pose as a well-known researcher and contact the victim to offer their services.

"I [the person behind Data Breaches] was told that a number of researchers were impersonated that way, with Groove using their names and directing email to a domain Groove allegedly controlled."

Surprisingly, neither Bleeping Computer, the site that led the way on Groove coverage, nor The Record, a site backed by CIA-funded threat intelligence firm Recorded Future which gave Groove oxygen through tweets, have made any mention of the fraud claims.

Read 1154 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News