Threat actors masquerading as cybersecurity researchers are approaching victims of the Royal and Akira ransomware gangs, offering to delete files the groups have stolen - for a price.
It's unclear whether the fraudulent offers of help - described as a follow-on extortion campaign - are being made by the same criminals responsible for the initial ransomware attacks.
While it's common for ransomware gangs to retarget the same victims, Arctic Wolf senior threat intelligence researchers Stefan Hostetler and Steven Campbell said they were not aware of any previous instances where a threat actor had posed as a legitimate security researcher and offered to delete data from stolen by a ransomware group.
In the first case a person claiming to be from an organization called Ethical Side Group emailed a Royal ransomware victim in early October last year claiming to have obtained access to data the gang had exfiltrated from the victim.
A month later, an Akira victim received a similar communication from an entity calling itself xanonymoux.
While ESG and xanonymoux presented themselves as separate, unrelated entities, similarities between the two cases led Arctic Wolf to conclude it was likely they were linked to a common actor.
Those similarities included posing as researchers, asking for payment of around 5 bitcoin, offering to provide proof of access to the exfiltrated data, and the use of similar phrasing in the emails sent to the victims.
One logical conclusion was that actors associated with Royal and Akira were hiding behind fake entities in an attempt to retarget the gangs' previous victims.
The researchers said the complex dynamics of the ransomware ecosystem, where affiliates could be tied to more than one gang, made it difficult to prove that theory.
Hostetler and Campbell said the similar elements identified between the cases it examined suggested a common threat actor had instigated a follow-on campaign in a bid to extort organizations who were previously victims of Royal and Akira ransomware attacks.
This Cyber News was published on packetstormsecurity.com. Publication date: Wed, 10 Jan 2024 14:58:20 +0000