DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The ‘Groove’ Ransomware Gang Appears to Have Been a Hoax — But Was Any of It Real?

Posted on November 2, 2021 by Dissent

Brian Krebs writes:

A number of publications in September warned about the emergence of “Groove,” a new ransomware group that called on competing extortion gangs to unite in attacking U.S. government interests online. It now appears that Groove was all a big hoax designed to toy with security firms and journalists.

You can read more on KrebsOnSecurity.com. There are somewhat differing views about whether Groove started as a hoax or was re-framed as a hoax to save face when the actor’s attempt at a ransomware operation didn’t enjoy success. The latter hypothesis seems a bit more plausible than it starting as a total hoax because neither Robinwood, TriValley, nor Hagerstown Police Department have actually refuted claims that they were compromised, have they?

In any event, DataBreaches.net has always been cautious in reporting Groove’s claims. In September, DataBreaches.net reported that Groove had claimed to have hacked Robinwood Orthopaedic, but had not really provided any actual proof of claim. Yes, there were images that related to orthopedics, but nothing that definitively linked to Robinwood, and Robinwood had never replied at all to multiple inquiries, so this site cautioned to treat Groove’s claim as unconfirmed.

On October 23, DataBreaches.net reported on Groove again, writing that it appeared that Groove had attacked  TriValley Primary Care in Pennsylvania, a medical practice with eight locations. The operative word was “appears.” A notice on TriValley’s web site seemed to provide some confirmation that something had gone wrong for TriValley as they talked about “restoration” and the patient portal not being operational. DataBreaches.net cautioned that again, there was not actual confirmation of Groove’s claims, but the notice seemed to indicate that something had happened.

But in one of the most bizarre stories concerning Groove, DataBreaches.net was given some alleged evidence that Groove were fraudsters. The “evidence” was provided by someone who purported to be with a top-tier ransomware group. According to this person, when Groove wasn’t paid by victims, Groove would pose as a well-known researcher and contact the victim to offer their services.  I was told that a number of researchers were impersonated that way, with Groove using their names and directing email to a domain Groove allegedly controlled.

Here’s a copy of the text of the email Groove allegedly sent reluctant victims:

Email allegedly from Groove

“We regret to inform you that you are most likely a victim of ransomware & data extortion group Groove.

We have strong reasons to believe this because:

– you were added to the index of their leak site
– the post references the domain [*******.com]
– we contacted individuals present in the sample data set and they have confirmed they are customers of ****

Groove, as well as other ransomware groups tend to leak data when negotiations fall apart, so this is a strong indicator that something could have went wrong. If possible, could you please forward us all your communications from any threat actors demanding you pay a ransom, if this has happened? We are ready to assist through a Zoom call if you would like to engage with us.

We can offer you our ‘threat actor negotiations’ services detailed below.

Threat actor negotiations:
Secure & safe negotiations

Limiting the damage as much as possible

Proactive service

Transparent communications

Determine risks & outcomes

We do not ask for payment until we resolve the issues in question. So feel free to reach out.

The individual who provided this site with that copy of text also provided sample email addresses that Groove allegedly used. The domain was cyberservices.com. And unsurprisingly, neither of two researchers the source had named knew anything about their name being used in any extortion scam.

If providing DataBreaches.net with such evidence was part of Groove’s plan to try to embarrass the media, it failed as this site never reported it until now.  It does make me wonder, however, about the source who gave me that evidence and who appeared to be dissing Groove. Was that individual Groove or part of any scheme to embarrass journalists, and this site in particular, or was it someone just out to try to embarrass Groove? Maybe one day I will find out.

Category: Commentaries and Analyses

Post navigation

← South Carolina School District reports security incident
Schools across the nation are getting hit with ransomware attacks—but they won’t admit how much it’s costing them →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.