A new analysis has shone a light on the fallout between cybercriminals following the Colonial Pipeline and Kaseya attacks. A group of researchers from McAfee, Coveware, and Intel471 have discovered the emergence of a new ransomware gang dubbed Groove, which was previously an affiliate of Babuk ransomware.
Groove makes the headline
In one of its first acts, Groove publicly leaked a set of nearly 500,000 VPN credentials on a new hacker forum named RAMP.
The stolen credentials were associated with some 87,000 Fortinet FortiGate SSL-VPN devices that were vulnerable to a file leak vulnerability tracked as CVE-2018-13379.
Researchers described this act as a way to empower other threat actors and aspiring cybercriminals to step into the scene.
About the new forum
RAMP, which supposedly stands for Ransom Anon Mark[et] Place was created in July by a threat actor TetyaSluha, who later changed their name to Orange. MRT, 999, and KAJIT among other threat actor groups are also involved in the maintenance and development of the forum.
According to ATR researchers, “This actor claimed the forum would specifically cater to other ransomware-related threat actors after they were ousted from major cybercrime forums for being too toxic.”
Groove likely linked to BlackMatter
After the fallout, Groove rebranded Babuk’s wyyad server in late August.
While the data on the server still hosts the old victims of Babuk, the ATR team found data of a particular Thai IT service provider that was attacked by the BlackMatter ransomware gang.
This indicates that Groove may have worked as an affiliate for the BlackMatter gang.
The expanding RaaS model is being used as an opportunity by some affiliates to become competent cybercriminals. Groove is one such upcoming threat actor that appears to challenge the conventional RaaS hierarchy. With previous experiences in industrial espionage and some former Babuk developers in its cabal, the gang has made it clear that it is willing to collaborate with other parties as long as there is financial gain.