U.S. organizations targeted by fraudulent ransomware group using hollow data leak warnings

A group of fraudulent extortionists are exploiting data breaches and ransomware attacks to scam US companies. They threaten to sell or publish allegedly stolen data unless payment is made. In some cases, the group has added a distributed denial-of-service (DDoS) attack threat. The group, calling themselves Midnight, impersonates ransomware and data extortion gangs in emails, claiming to have stolen data and demanding payment. The Kroll corporate investigation and risk consulting firm found that some of these emails also threaten with DDoS attacks. Arete incident response company has confirmed that the group is targeting organizations that have previously been victims of a ransomware attack. It is unclear how victims are selected, but it is possible that the group uses publicly available sources, such as data leak sites, social media, news reports, or company disclosures. Coveware, a ransomware incident response company, has warned of this tactic since 2019, calling it Phantom Incident Extortion. The group’s threats are empty and should be recognized as such.