Is the Groove ransomware gang is a motley crew of disgruntled hackers, or a hoax?

The group emerges as cracks form in the ransomware-as-a-service model.
money, cash, budget, cybercrime, financial, fraud
(Getty Images)

A mysterious ransomware crew now claims its entire existence was a scam meant to trick journalists and cybersecurity personnel.

A coalition of researchers on Sept. 8 explained what makes Groove, a gang that quietly emerged in July with a website, different: Namely, that it eschewed the traditional ransomware-as-a-service hierarchy in favor of an opportunistic pledge that they’ll work with anyone as long as there’s money to be made.

The researchers — from McAfee Enterprises, Intel 471 and Coveware — traced the group’s origins to an apparent split with the Babuk gang, part of a trend of turmoil within extortion groups that use the ransomware-as-a-service (RaaS) model in which affiliates get to use an outfit’s malware in exchange for sharing profits. For instance, a disgruntled former Conti affiliate recently leaked the group’s attack playbook.

Months after Groove’s apparent emergence, the group claimed it all was a hoax. Fraudsters behind the Groove operation in October posted an update on a hacking forum proclaiming they had set out to deceive security researchers and journalists, perhaps as part of an effort to distract cyber personnel from other, more relevant extortion activity, KrebsOnSecurity reported on Nov. 2.


CyberScoop could not immediately verify whether the latest Groove statement was true, or yet another fabrication.

“While it’s possible that a single actor concocted Groove as a way to troll security reseaechers and the media, we believe it’s more likely that the actor’s attempt to create their own ransomware group didn’t work out as planned,” a spokesperson for Intel 471 said in a statement on Nov. 2. “It’s also important to remember that the true identity and nature of any ransomware-as-a-service gang is not always clear and the membership makeup or affiliates of these gangs can be fluid.”

Groove previously claimed to leak 500,000 Fortinet virtual private network passwords. Also on Sept. 8, its website suggested that it would soon “demonstrate its capabilities” on U.S. President Joe Biden.

Fortinet said it was aware of the leaked credentials, and said they were obtained from systems that hadn’t yet implemented a patch issued in May of 2019. That vulnerability led to a U.S. government alert as recently as April. Fortinet published a blog post on the leak in September.

A hacker going by the handle “Orange” set up a website, RAMP, in June. Orange bashed the Babuk gang, claiming credit for any of Babuk’s success with a behind-the-scenes organization called Groove. The researchers found further digital evidence connecting Groove to Babuk.


“Manipulation of large information security companies and the media through a ransom blog,” Orannge reportedly wrote in October.

Groove’s apparent emergence came not only as cracks are forming in the ransomware-as-a-service model, but also after a number of high-profile ransomware groups disappeared and some cybercriminal forums banned advertisements for the hacking method. Unhappy former ransomware affiliates and others appeared to be drawn to Groove, according to McAfee, Intel 471 and Coveware.

“For some affiliates there was an opportunity to become competent cybercriminals while, for many others, the lack of recompense and appreciation for their efforts led to ill-feeling,” the researchers wrote.

“Combined with underground forums banning ransomware actors, this created the perfect opportunity for the threat actor known as Orange to emerge, with the Groove gang in tow, with the offer of new ways of working where an associate’s worth was based entirely on their ability to earn money.”

Update, Nov. 2, 2021: This story and headline were amended to reflect recent updates about Groove, as first reported by KrebsOnSecurity. This story was also updated to include a statement from Intel 471.

Latest Podcasts