Groove was publicly described in 2021 as a new ransomware affiliate program and extortion group announced on the Russian-language cybercrime forum RAMP by the administrator "Orange." It was presented as an aggressive, financially motivated criminal organization involved in industrial espionage, and it called on other extortion gangs to unite in attacking U.S. government interests online. Groove operated a darknet victim-shaming blog and, in early September 2021, posted roughly 500,000 Fortinet VPN credentials taken from systems that had not applied a May 2019 patch. Reporting assessed that this credential dump may have been intended to attract affiliates or attention. However, later reporting indicated Groove may have been largely or entirely a hoax or failed operation. The actor "Boriselcin" claimed on the XSS forum that he created Groove as a fake gang, used old Fortinet credentials, and deliberately manipulated journalists and security firms. Intel471 assessed that a single actor likely operated both the Groove blog and the RAMP forum, and that Groove may have been less a pure hoax than an unsuccessful attempt to create a ransomware group. Throughout its existence, Groove listed only a small number of victims, and its blog later disappeared. Supporting reporting linked Groove to the RAMP ecosystem and to personas associated with Babuk. McAfee assessed with high confidence that Groove was a former affiliate or subgroup of Babuk and likely affiliated with BlackMatter. Separate reporting tied the aliases "Orange" and "Boriselcin" to Russian national Mikhail Pavlovich Matveev, also known as Wazawaka, and identified Orange as the founder of RAMP. Known associated aliases and personas mentioned in the reporting include Orange and Boriselcin; broader linked identities in the same reporting include Wazawaka, TetyaSluha, and Uhodiransomwar.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Attributed origin per open-source reporting.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware affiliate program announced by Orange; later described by Boriselcin as largely a pet project intended to mislead media and the security industry.
Presented as a new ransomware/extortion group, called for attacks on U.S. government interests, posted 500,000 Fortinet VPN credentials, and may have been a hoax or failed attempt to launch a ransomware operation intended to troll media and security researchers.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.