Ransomware gangs are adopting more open and corporate strategies [5] [6], engaging with journalists and leveraging press coverage to increase pressure on victims to pay.


Notorious organizations like Royal [6], The Play [4] [5] [6], and RansomHouse are increasingly contacting journalists [6], forming a suspicious but mutually beneficial relationship [6]. This indicates a shift in their tactics as they try to infiltrate the information and technology domains [6]. These groups recognize the newsworthiness of their activities and actively seek media attention. They collaborate with journalists [3], offering to share information on PR channels before official publication [3]. Some gangs even threaten to send data to the media if victims do not pay [3], emphasizing the potential exposure of internal documents to the public [6]. This strategy aims to exert public and peer pressure on victims [6].

Certain hacking groups go so far as to explicitly promote their attacks through various media channels, using them as a warning to potential victims. Ransom notes often highlight the potential exposure of internal documents to the public [6], including from dark web criminals [6], journalists [1] [3] [4] [5] [6], and employees [4] [6]. This emerging trend suggests a deliberate effort among certain ransomware groups to develop a comprehensive media strategy and professionalize their image. They publish press releases [1] [3], create polished graphics and branding [1] [3], and hire English writers and speakers [1] [3]. They actively engage with journalists [4], providing FAQs for journalists visiting their leak sites [3], encouraging reporters to contact them [3], and even giving interviews [3]. By publicizing their attacks in the news [6], they aim to exert public and peer pressure on victims [6].


While this increased publicity exposes these groups to heightened scrutiny from law enforcement agencies, it also lends credibility to their threats of leaking sensitive information [7]. Therefore, individuals and organizations must remain vigilant [2], implement robust cybersecurity measures [2], and educate themselves about these PR tactics to effectively mitigate the impact of ransomware attacks [2]. The evolving strategies of ransomware groups highlight the need for ongoing efforts to combat this threat and protect against future implications.


[1] https://sigmacybersecurity.com/ransomware-gangs-and-the-media-sophos-news/
[2] https://platodata.network/platowire/how-ransomware-gangs-employ-pr-tactics-to-intimidate-and-manipulate-victims/
[3] https://flyytech.com/2023/12/13/ransomware-gangs-and-the-media-sophos-news/
[4] https://www.darkreading.com/threat-intelligence/ransomware-gangs-pr-charm-offensive-pressure-victims
[5] https://ciso2ciso.com/ransomware-gangs-use-pr-charm-offensive-to-pressure-victims-source-www-darkreading-com/
[6] https://zephyrnet.com/zh-TW/%E5%8B%92%E7%B4%A2%E8%BB%9F%E9%AB%94%E9%9B%86%E5%9C%98%E5%88%A9%E7%94%A8%E5%85%AC%E9%97%9C%E9%AD%85%E5%8A%9B%E6%94%BB%E5%8B%A2%E5%90%91%E5%8F%97%E5%AE%B3%E8%80%85%E6%96%BD%E5%A3%93/
[7] https://www.itpro.com/security/ransomware/ransomware-groups-are-using-media-coverage-to-coerce-victims-into-paying