Groove Ransomware Gang Attracts Affiliates by Attempting New Tactic


Recently, a new ransomware gang named Groove has sparked the resurgence of cybercrimes to deal a blow to cybersecurity experts. The group has attempted a new tactic to benefit from compromised networks. At the same time, it has taken the center of attention after publicly leaking 500,000 credentials and usernames for free. These credentials were related to Fortinet FortiGate SSL-VPN devices. It is essential to note here that Fortinet has recognized the data leak. According to the company, it occurred between May 2019 and June 2021. Ostensibly, by the boastful action, the Groove ransomware gang attracts affiliates following the Colonial Pipeline attack.


LIFARS offers cyber security forensics services and digital investigations.


Reaction to Data Leak

Researchers from McAfee consider the act a way to capture the attention of other cybercriminals to the new Groove operation. According to John Fokker, the ransomware gang has invited aspiring threats actors into the scene by empowering them by the action. For your information, John is the principal engineer and head of cyber investigations at McAfee.

Origins of Groove Ransomware Gang

Researchers trace the origins of the Groove ransomware gang to a potential split with another cyber group called Babuk. It is a group that leverages the RaaS (ransomware-as-a-service) model. In the given model, affiliates use the malware of a cybercriminal outfit in exchange for sharing profits.

How Groove Pulled Out Fortinet Credentials?

Experts claim hackers have obtained leaked credentials by exploiting Fortinet’s CVE 2018-13379 file leak vulnerability. The flaw paved the way for an unauthenticated attacker to read arbitrary files, including the sessions file. For the record, the company issued a patch in May 2019. However, many VPN devices might not install the patch or have been vulnerable while not resetting the passwords. There is also a possibility that the ransomware gang compromised the affected customers through previously unmasked VPN credentials. Simultaneously, it is also uncertain how many VPN credentials leaked by the group might potentially work.

A New Forum

The threat actor had leaked the Fortinet VPN credentials through a new underground forum called RAMP. Allegedly, it is has been created by the previous head of the Babuk ransomware operation.

Essentially, popular cybercrime forums have banned ransomware gangs. Precisely speaking, they have been restricted from advertising following the Colonial Pipeline attack on May 7, 2021. Given the level of interruption brought about by the attack, experts consider it as one of the historic ransomware attacks in the US. It was so significant that it paved the way for the briefing to US President Joe Biden on the event. In this context, several underground forums attempted to distance themselves from ransomware activity while the situation remained dicey.

Seemingly, the Groove ransomware gang has bridged the gap by giving ransomware operators a forum once again. It is positioning itself as a self-reliant cybercrime group by challenging the conventional RaaS hierarchy. Overall, the approach of the group appears broader. It seems willing to work with other criminal groups as well together with the ransomware operators.


Groove ransomware gang has created the perfect opportunity to boost exploiting or profiteering. It happens when cybercrime forums have banned ransomware actors from selling their malware to illegitimate affiliate groups. Remember, Groove claims that it is a financially encouraged organization with experience in industrial undercover work. Moreover, ransomware remains a supplementary source of revenue for them. Along these lines, feel free to contact LIFARS if you are dealing with a data breach, or anything related to cybersecurity.




Ransomware gang Groove tries new tactic to attract affiliates

Groove leaks login credentials of 500,000 Fortinet VPN Accounts

Groove ransomware gang an offshoot of disgruntled hackers

Ransomware hackers join a new group after breaking off from Babuk

Cybercriminals release credentials for 87,000 FortiGate SSL VPN devices