Share this article on:
Threat actors are posing as helpful cyber security researchers, promising known victims of ransomware attacks that, for a hefty fee, they will hack the offending hackers back and delete any stolen data.
An investigation by cyber security firm Arctic Wolf has reportedly uncovered several instances in which victims of ransomware attacks claimed by the Akira and Royal ransomware groups that paid a ransom were contacted for additional attempts at extortion.
On top of this, the company observed two cases where the threat actors reaching out to the victims claimed to be ethical hackers or cyber security researchers, offering to hack the two ransomware giants back and secure and delete the stolen data.
The “ethical hacker” generously offered their services for a mere five bitcoins (roughly $340,000 at the time of writing.)
The two instances were observed in October and November of last year, with the first reaching out to a victim claiming to be from “Ethical Side Group” (ESG).
The threat actor, in this instance, originally said it had access to the data of the TommyLeaks gang, before correcting itself after realising they were talking to a victim of Royal ransomware.
“Notably, in prior negotiations in 2022, Royal claimed to have deleted the data,” said Arctic Wolf.
In the second case, just a month later, a victim of the Akira ransomware gang was contacted by a user going by the name “xanonymoux”, who said it had compromised the ransomware group’s server infrastructure and offered to either assist the victim in deleting the data or granting them access.
It also claimed that Akira was associated with the Karakurt criminal group, known for data exfiltration and theft.
“Notably, when Akira was contacted a few weeks before xanonymoux’s email, the group claimed not to have exfiltrated any data and that they had only encrypted systems,” added Arctic Wolf.
As Arctic Wolf points out, these cases bear several similarities despite claiming to be different entities and having knowledge of different organisations.
Similarities include:
Follow-on attacks aren’t new, and victims of ransomware attacks who meet the demands of attackers paint a target on themselves that notifies threat actors that there is money to be made. Arctic Wolf said these follow-on attacks have been observed with cases connected with the Karakurt and Conti crime groups.