Groove ransomware gang, a group thought to be associated with the Babuk gang, is publicly calling all the other ransomware groups to unite and target the U.S. public sector. This appears to be revenge against the recent shutdown of the REvil gang.

What happened?

Groove published a message on a Russian blog, which is believed to be its leak site.
  • The message makes an appeal to all other ransomware gangs to stop competing and unite against the U.S.
  • The message provides a reference to the recent arrests and other actions taken by federal agencies against ransomware gangs (supposedly REvil).
  • The post also tells all the gangs to avoid targeting Chinese companies. 
  • According to the post, China is the next potential safe haven for them in case Russia decides to stop tolerating ransomware operations and start taking action against them.

But, who is actually behind all this?

Groove’s Babuk connection and an Orange suspect

  • In July 2021, a threat actor previously associated with Babuk Ransomware operations launched the RAMP hacking forum after the group announced its retirement from the ransomware business.
  • The actor, known as Orange, used admin rights on Babuk's Tor site to host the hacking forum. Recently, he announced a change of administration of the forum.
  • Moreover, another post by this threat actor suggested that it will soon initiate a new ransomware operation aimed at hospitals and government agencies in the U.S.
  • Now, researchers studied this common ground of interest and implied relations between Groove’s post on the Russian blog post and the aforementioned posts by Orange.

As per certain claims, Orange could be one of the representatives of the Groove ransomware operation.

Ending notes

Besides these recent posts by Groove and Orange, there could be other threat actors planning attacks against U.S.-based organizations. This is the right time for organizations to tighten up their cyber defenses and make proactive strategies against such threats to avoid any major damage.

Cyware Publisher

Publisher

Cyware