The bold move signals a looming clash between Russian ransomware groups and the U.S.

Following the recent international law enforcement effort that dismantled the infrastructure for the REvil ransomware group, fellow cybercrime group Groove called for revenge — encouraging the wider cyber extortionist community to band together to target U.S. interests.

At a time when the U.S. is leading the international law enforcement effort to make splashy busts and shows of force against cybercriminals, this seems like a bold bet by Groove. But they have a plan.

BleepingComputer published a translation of the Russian blog post from Groove, filled with chest-thumping threats against the “US public sector, show this old man who is the boss here who is the boss and who will be on the Internet.”

Infosec Insiders Newsletter

The language gets vaguely military in tone from there.

“While our boys were dying on honeypots, the nets from rude aibi squeezed their own… but he was rewarded with higher and now he will go to jail for treason, so let’s help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies,” Groove’s post read.

The threat letter goes on to instruct against attacks on Chinese interests in case the sanction-strapped Russian government should decide to hand them over.

“I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors – the Chinese!”

The missive from Groove seems to correlate with threats from last July from threat group Orange against U.S. government agencies and hospitals, BleepingComputer added.

Set Up for a Showdown

Groover and their fellow threat actors seem to be itching for a fight with the U.S. government and the current Biden Administration seems prepared to oblige.  There’s a rolling clash looming, according to Galina Antova, Claroty’s co-founder.

“This back and forth of threats and actions is just the beginning,” she told Threatpost. “As ransomware groups, such as REvil, hit important critical infrastructure companies, of course the U.S. government and other governments will retaliate. Unfortunately, by starting to target large infrastructure companies, the ransomware groups have crossed a boundary that requires more than just ‘defending forward’ and deterrence strategies.”

The move by Groover, coming fresh off the U.S. display of its reach into these ransomware groups’ operations with REvil’s takedown, shows they’re prepared to retaliate rather than capitulate.

“It shows an emboldened threat actor,” Antova said in reaction to Groove’s threat letter. “Whether they make those types of communications public or not, there is a certain level of cooperation between ransomware groups in Russia (members) and fluidity around where the criminal organization stops and the government begins.”

Antova added that U.S. government interests are undoubtedly keeping a close eye on these groups.

“Given the level of attention that CISA, FBI and NSA are publicly demonstrating towards the Russian ransomware groups, we can be certain they are closely monitoring groups such as Groove, whether those groups make public statements like this one or not,” she said.

As this continues to play out, U.S. organizations need to be on high alert for these types of attacks and stop them before they start. There’s a long list of attacks that have already inflicted damage on the American infrastructure, including those on Colonial Pipeline and JBS Foods.

“While the intelligence community is doing great work to take down these groups and retrieve ransom payments, organizations in the U.S. and elsewhere still must do as much as they can to stop ransomware before it gets to the point of having to halt essential operations,” Antova warned. “It was only a matter of time until ransomware actors went after critical networks, as those are crucial to operations and, therefore, valuable.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.