The ‘Groove’ Ransomware Gang Appears to Have Been a Hoax — But Was Any of It Real?

Brian Krebs writes:

A number of publications in September warned about the emergence of “Groove,” a new ransomware group that called on competing extortion gangs to unite in attacking U.S. government interests online. It now appears that Groove was all a big hoax designed to toy with security firms and journalists.

You can read more on There are somewhat differing views about whether Groove started as a hoax or was re-framed as a hoax to save face when the actor’s attempt at a ransomware operation didn’t enjoy success. The latter hypothesis seems a bit more plausible than it starting as a total hoax because neither Robinwood, TriValley, nor Hagerstown Police Department have actually refuted claims that they were compromised, have they?

In any event, has always been cautious in reporting Groove’s claims. In September, reported that Groove had claimed to have hacked Robinwood Orthopaedic, but had not really provided any actual proof of claim. Yes, there were images that related to orthopedics, but nothing that definitively linked to Robinwood, and Robinwood had never replied at all to multiple inquiries, so this site cautioned to treat Groove’s claim as unconfirmed.

On October 23, reported on Groove again, writing that it appeared that Groove had attacked  TriValley Primary Care in Pennsylvania, a medical practice with eight locations. The operative word was “appears.” A notice on TriValley’s web site seemed to provide some confirmation that something had gone wrong for TriValley as they talked about “restoration” and the patient portal not being operational. cautioned that again, there was not actual confirmation of Groove’s claims, but the notice seemed to indicate that something had happened.

But in one of the most bizarre stories concerning Groove, was given some alleged evidence that Groove were fraudsters. The “evidence” was provided by someone who purported to be with a top-tier ransomware group. According to this person, when Groove wasn’t paid by victims, Groove would pose as a well-known researcher and contact the victim to offer their services.  I was told that a number of researchers were impersonated that way, with Groove using their names and directing email to a domain Groove allegedly controlled.

Here’s a copy of the text of the email Groove allegedly sent reluctant victims:

Email allegedly from Groove

“We regret to inform you that you are most likely a victim of ransomware & data extortion group Groove.

We have strong reasons to believe this because:

– you were added to the index of their leak site
– the post references the domain [*******.com]
– we contacted individuals present in the sample data set and they have confirmed they are customers of ****

Groove, as well as other ransomware groups tend to leak data when negotiations fall apart, so this is a strong indicator that something could have went wrong. If possible, could you please forward us all your communications from any threat actors demanding you pay a ransom, if this has happened? We are ready to assist through a Zoom call if you would like to engage with us.

We can offer you our ‘threat actor negotiations’ services detailed below.

Threat actor negotiations:
Secure & safe negotiations

Limiting the damage as much as possible

Proactive service

Transparent communications

Determine risks & outcomes

We do not ask for payment until we resolve the issues in question. So feel free to reach out.

The individual who provided this site with that copy of text also provided sample email addresses that Groove allegedly used. The domain was And unsurprisingly, neither of two researchers the source had named knew anything about their name being used in any extortion scam.

If providing with such evidence was part of Groove’s plan to try to embarrass the media, it failed as this site never reported it until now.  It does make me wonder, however, about the source who gave me that evidence and who appeared to be dissing Groove. Was that individual Groove or part of any scheme to embarrass journalists, and this site in particular, or was it someone just out to try to embarrass Groove? Maybe one day I will find out.

About the author: Dissent

Comments are closed.