New data extortion email campaign copying ransomware gang techniques

Luis Corrons 4 Apr 2023

All signs indicate that this is simply a scam to scare company decision makers into paying money to avoid further consequences.

The Avast Threat Labs have identified a new data extortion scam targeting companies. The scam is designed to look like it's coming from a ransomware or data extortion cyber gang and is sent via email to employees of different companies, addressing them by their full name.

In this message, they let them know their company has suffered a security breach and a large amount of information has been stolen — including data from Human Resources — such as employee records, personal, and medical data. The senders claim they are from a ransomware group, like “Silent Ransom”, or “Lockffit.” If read quickly, the recipient may believe the email was sent by the “LockBit” ransomware group, which is known for their aggressive data extortion methods.

The cybercriminals ask the employees to contact their managers and let them know about the situation. The message makes clear that they have all the information about their company and their clients and threaten to sell the data to other criminals if they don’t get an answer. Then they mention the regulatory laws of data breaches (nowadays there are huge fines for companies that do not protect conveniently their data).

The criminals then provide an email address to contact them, advising to message them only from the corporate email, and providing an individual number that must be added to that email to keep proper tracking.

While victims might think that this is an extortion campaign launched by cybercriminals after they have perpetrated a data breach, all signs indicate that this is simply a scam to scare company decision makers into paying money to avoid further consequences, like having their data sold on the black market, huge fines, clients learning their data has been stolen, and so on.

This is one of the messages that we captured:

MicrosoftTeams-image (7)

It could be a real message from a particular cybercriminal group, although there are some details that make us conclude this is just a scam. They present themselves as “Lockffit group,” an unknown group that could be real or not. In the message there are a few typos, but that by itself doesn’t mean anything.

The tactic is similar to what some ransomware groups do to force victims into paying in exchange for not only getting their data back, but to avoid having their confidential information sold or made public. However, in a real ransomware case, the criminals encrypt the victim data first, which makes it clear they have breached the company’s network. In this case, they do not offer any proof other than having the email address and the name of the recipient of the message.

Not only that, but we have also captured other messages targeting different organizations with exactly the same content (including the same typos!), but changing the name and address of the recipient, the email they must write to, the amount of data stolen, the individual number, and sometimes even the cybercriminal group. It all points to be semi-automated attacks where criminals use a database of addresses in order to send these emails to the list of targets, just with a few changes, similar tactic to the used in sextortion attacks.

This is another message we intercepted. As you can see, it is almost identical to the first message, despite being signed by a different group:

MicrosoftTeams-image (8)

What to do if you receive a similar message

1. Don't panic. Attackers will always use fear and sense of urgency to force us to make rush decisions.

2. Report it to the department of your company that's in charge of IT security. Do not respond to the message.

3. If this isn't managed centrally by your IT department, make sure you have your anti-malware solution updated. Avast can detect these scams and take care of them for you.

There is nothing else to be done, as there is no malware involved and your computer is not at risk. As a proactive measure, CISOs and IT departments should make sure to inform their employees that this type of scam exists and urge their employees to report it to them when they receive such a message — and in no case respond to it.

--> -->