Arctic Wolf, a cybersecurity company, has uncovered instances where organizations victimized by the Royal and Akira ransomware groups were targeted by an imposter posing as a security researcher. These threat actors, claiming ethical hacking expertise, offered to hack back the original attackers and delete stolen victim data. The Royal and Akira ransomware operations employ the double extortion tactic, encrypting victim systems and threatening data leaks unless a ransom is paid.
In the reported cases from October and November 2023, the fake researcher approached victims who had already paid a ransom. The imposter, using monikers like ‘Ethical Side Group’ (ESG) and ‘xanonymoux,’ promised proof of access to stolen data and offered to delete it for a fee of up to five Bitcoins (approximately $190,000 at the time).
In one case, the imposter initially attributed the attack to the ‘TommyLeaks’ gang but later switched the narrative to claim access to Royal’s server. The victim had previously engaged in negotiations with the ransomware actor in 2022.
In the second incident, the imposter, using the name ‘xanonymoux,’ offered to delete files on Akira’s servers or provide access to the actor’s server. However, prior communication from Akira indicated that they did not exfiltrate any data and that their attack solely encrypted breached systems.
This attack is done in the steps as follows:-
– Posed as a cybersecurity researcher
– Alleged access to server infrastructure containing data from prior breaches
– Employed Tox for communication
– Promised evidence of access to previously exfiltrated data
– Implied potential for future attacks without addressing security concerns
– Indicated the quantity of previously compromised data
– Demanded a modest payment (<=5BTC)
– Consistent use of overlapping phrases in initial communications
– Utilized file.io to furnish proof of accessing victim data.”
Arctic Wolf’s investigation revealed that the same individual likely orchestrated both attempts, as the initial communication and proof of access methods shared common phrases. This situation underscores the complexity of ransomware attacks, which pose ongoing challenges for victims beyond the immediate crisis of encrypted and stolen data.