Threat actors sometimes name the wrong victims — so why are you just repeating their claims?

    • Since March, 2021, data exfiltrated from Butler County Sheriff’s Office has been dumped on the dark web and clear net, but those affected may never have known that because the threat actors named the wrong victim.
    • Relying too much on the word of criminals, researchers and compilations also misidentified the victim.
    • Researchers and journalists should not be simply repeating criminals’ attributions to victims without examining proof of claims first. 

Conti, a well-known ransomware group believed to be in Russia, encrypts servers and workstations to extort payment from the victim. They use the “double extortion” model: they not only encrypt their victims’ files, but they threaten to publicly dump a copy of the files or sell them if the victim does not pay their ransom demand, so even if the victims have a backup from which they can restore, there is still a risk that Conti will sell or dump a copy of the data.

Conti maintains a leak site on the dark web and clearnet where they publish the names of their victims to pressure them to pay. They also publish some of the victim’s data to increase the pressure.

See for more information about Conti.

In December, 2020, Conti attacked an organization that they added to their leak site in March 2021 as “Brevard County Sheriff.” Their listing linked to the Brevard County Public Safety Charity, a group  formed to help the Florida county’s first responders.

Claiming that the listing was for the Brevard County Sheriff was just one of Conti’s errors. The bigger error was that the files had nothing to do with the Florida county’s sheriff’s office or its support organization. When started diving into the data dump, we discovered that the data were actually from the Butler County Sheriff’s Office in Ohio.

(We know, we know… both begin with “B” and both involve “Sheriff’s,” right? And nobody’s perfect, right? But naming the wrong victim can hurt an uninvolved party’s reputation.)

It was the Butler County Sheriff’s Office that was attacked by Conti in December, 2020. That sheriff’s office acknowledged an incident at the time but did not name the threat actors and did not discuss any ransom demands.

In early March, Conti dumped more than 25,000 files, but their site misidentified those files as coming from the Brevard County Sheriff’s Office support organization.  For its part, Butler County cleverly did not publicly correct them. And in April, when Butler County issued a statement, they made no mention that the data had been dumped on Conti’s leak site. In fact, they did not mention Conti at all. Their notice (embedded at the bottom of this post) did inform people that their data was on an unnamed threat actor’s web site, but anyone looking for a listing for “Butler” would not have found it.  

As far as we can determine based on a review of news coverage, this is the first time the presence of Butler County Sheriff’s data has been publicly revealed as being on Conti’s leak site. But that’s not the worst possible situation as most of the more than 25,000 files Conti dumped are like a news junk drawer — scanned copies of news articles going back to the early 1990’s.

Inspection of the files revealed a few videos, some annual inventories, memos, some mail, manuals, a variety of forms,  detention records, and some incident reports.  Some of the detention or arrest records included personal information such as names and Social Security numbers, but there were not many of those.

Arrest Record
Old arrest record reports the arrest of a county deputy sheriff for aiding and abetting a prisoner’s escape from jail. Redacted by

A number of files dealt with employee reassignments, promotions, retirements, or resignations. Those files included names, positions, and pictures of employees, but no sensitive data. did not find any databases with personnel or payroll information, but it is important to qualify that because we do not know:  (1) whether Conti dumped all of the data they had exfiltrated, and (2) whether they had exfiltrated more sensitive and personal information that they have privately sold or circulated for misuse. That said, there have been no public reports of misuse of any of the data. 

Butler’s statement of April 15 indicated that they were notifying consumers of the  data breach, and that names, addresses, dates of birth, and drivers license numbers were involved. 

Conti is certainly not the first group to name the wrong victim. It happens more often than the public might realize, which is why this site has often urged security researchers NOT to just tweet-repeat announcements or claims on leak sites about who has become a victim until that is confirmed. 

But errors in naming victims does leave us wondering who threat actors have actually tried to extort. 

Did Conti try to extort Brevard or did it try to extort Butler after the initial ransom note? Did they email or call Brevard or did they email or call Butler? emailed both Brevard County Sheriff’s Office and Butler County Sheriff’s Office recently to ask them that question, but received no replies.

In this case, Conti failed to secure any ransom or extortion payment, which is just as well, as current recommendations from experts claim that:

  • it can take longer to restore files using a decryption key than to restore from backup
  • even when criminals pinky swear that they will return all your data, they don’t, and may reserve the most commercially valuable data to sell or misuse privately
  • even when criminals pinky swear that they will delete all your data, they don’t — and some will try to extort you again later over the same data
  • paying ransom makes you a soft target for another attack because they know that you are an entity willing to pay ransom so you may get attacked a second time by the same threat actors or other threat actors; and
  • a number of these groups or their affiliates may be on government-sanctioned lists and you (the victim) may wind up with fines greater than the ransom demand if you do pay the criminals.

Butler County did not pay the threat actors. It reportedly cost them nearly $180,000 to remediate the breach, a significant portion of which was covered by their insurance.


Research by Chum1ng0. Translation and writing assistance by Dissent.

About the author: chum1ng0

Comments are closed.