In November 2019, companies across the United States started receiving the following poorly written but still threatening email:
In the past day we have come across data pertaining to company you work for: [company name]. Data contains all personal identifiable information for every employee that works for this company including yourself. Data was leaked around [date].
The email contained a sample of what appeared to be stolen employee data such as names and social security numbers. It demanded that the recipient of the email pay a ransom in return for “keeping data secure.”
In short, this looked like a ransomware attack using the then relatively innovative tactic of threatening to release data, as opposed to simply encrypting it. Since then, this has become the primary threat used by virtually all ransomware gangs.
First reported by ransomware response company Coveware after the email began circulating, the punchline is that the ransomware attack was entirely fictitious. No attack or breach had occurred.
The communication was a social engineering scam designed to make the victim believe they’d been breached by attaching data filtered from public sources, including third-party breaches that happened elsewhere.
The interesting question is whether every recipient would have realized this. There’s no evidence that anyone paid up, but it’s not beyond the realm of possibility that some might have.
Coveware even came up with a name for this type of scam: “phantom incident extortion.”
Pretend breaching sounds like a crude tactic, barely one step above the sextortion attacks that have been around for years and from which the concept probably first evolved.
However, a recent news report underscores that phantom incident extortion is not only still with us, but might now be evolving into something more sophisticated.
Since mid-March, U.S. companies have reported receiving ransom demands from a group called Midnight that claim to have stolen hundreds of gigabytes of sensitive data.
In some attacks, they’ve impersonated better-known ransomware groups, presumably to make the threat sound more convincing.
After analysis by specialists, these attacks have been deemed fake, but this does raise the interesting question of how to distinguish real from bogus in a world where so much breached data is already floating around.
The short answer is that without looking deeper, with some difficulty. If an attacker hasn’t breached a network, but does have some genuine data, does that qualify as a genuine attack?
It’s a reminder that once a breach has occurred, that data remains viable and valuable for some years. And consequently, a second attacker could re-use some of the same data set to attempt a follow-up extortion attack on the same victim.
Welcome to the convoluted world of ransomware where attacks breed more attacks, in a sort of spinning extortion carousel that keeps throwing out new forms.
The vast majority of phantom incidents are still crude, opportunistic attacks nobody would fall for. But some are getting harder to tell from the real thing. This is why professional post-incident assessment is becoming a must—organizations should understand the scale of every incident, to help ascertain what might be coming in the future.