Observations on Midnight Group’s Fraud Campaign Resurgence

Click the download button above to read the full report.

Arete’s research recently discovered a fraud campaign by a re-emerging actor dubbed “Midnight Group" specifically targeting organizations who previously fell victim to ransomware attacks. Midnight Group operations date back as far as 2019, but recently their operational tempo has increased dramatically. Interestingly, the re-victimized organizations experienced the initial attacks at the hands of over five distinct threat actor groups. Victims of this fraud campaign receive emails claiming the Midnight Group was behind the original ransomware attack, and their data will be posted on the dark web if they do not pay. At the time of this reporting, at least 15 current or previous Arete clients received this fraudulent email.

• The Midnight Group threat actor is identifying victims of ransomware attacks, even when the victims are not publicly available.
• The Midnight Group claims to have exfiltrated between 700GB–900GB of data, even in cases where no data exfiltration occurred, or a different amount of data was exfiltrated.
• Contacted individuals appear to have been identified on the victim’s public website.
• In several instances, the threat actor claimed to be associated with different ransomware
operations (e.g. Surtr and Silent Ransom), but these threat actor groups were not involved in the original ransomware attack suffered by the victims.