According to investigations, it has simply collaborated with a strong RaaS contender to succeed it.

Earlier this week, Groove gang, a relatively new Ransomware-as-a-Service (RaaS) group, allegedly leaked 500,000 Fortinet VPN login credentials to the Dark Net.

After analyzing the incident, McAfee Enterprise’s Advanced Threat Research (ATR) has announced its suspicion (high confidence) that the Groove gang is associated with the now-defunct Babuk gang, either as a former affiliate or subgroup. 

Key insights

According to the ATR: here is the chain of events that links the two groups:

  • The shutdown: After a turbulent shutdown of Babuk and the fallout from the Colonial Pipeline and Kaseya attacks, some of the ransomware-affiliated cybercriminals apparently found a home in a forum known as RAMP.
  • The RaaS advertising bans: Popular cybercrime forums have banned ransomware actors from advertising since the Colonial Pipeline attack, making it harder for RaaS groups to establish credibility and maintain their current top tier position in the underground.
  • The collaboration proposal: A bad actor called Orange had posted a call-to-action for collaboration, noting that for the past two years, GROOVE had been a financially motivated criminal organization dealing in industrial espionage and several of Babuk’s victims had brought them a lot of attention. 
  • The motive: Based on Babuk’s fall out, the similarities between the two RaaS groups, and the evolving underground situation, the Groove gang is likely a former affiliate or subgroup of Babuk, which is willing to collaborate with other parties, as long as there is financial gain for them.

The changing cybercriminal underground landscape created the perfect opportunity for the threat actor Orange to emerge, with the Groove gang in tow, offering new ways of working where an associate’s worth was based entirely on their ability to earn ransom, essentially confirming ATR’s belief that Groove and Babuk are associated.