Hackers impersonate security researchers to exploit trust and credibility.
Cybersecurity researchers at Arctic Wolf Labs recently discovered that hackers are actively impersonating security researchers to aid ransomware victims.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
Arctic Wolf Labs researchers found ransomware victims getting extorted again, with fake 'helpers' promising to delete stolen data.
They posed as security researchers in two cases, offering to hack the original ransomware group's servers.
This is the first known case of a threat actor pretending to be a legitimate researcher and offering to delete hacked data from another ransomware group.
Despite different personalities, the security analysts believe it's likely the same actor behind both extortion attempts.
Despite appearing distinct, both cases share key elements.
Analyzing their communication styles revealed clear similarities.
Case 1 - Royal Ransomware Compromise and Ethical Side Group Data Deletion Extortion: In this case, the Ethical Side Group told a Royal ransomware victim in October 2023 via email that they had victim data taken by Royal.
In 2022, Royal said they deleted it, but ESG falsely blamed TommyLeaks.
ESG offered to hack and delete the data from Royal's server for a fee.
Decrypting the complicated world of ransomware, RaaS affiliates juggle multiple encryption payloads.
Uncertainty persists about group sanctioning in follow-on extortion.
Beware of relying on criminal enterprises to delete data post-payment.
After analyzing the similarities found in the documented cases, Researchers reasonably conclude that a single threat actor has been targeting organizations previously affected by Royal and Akira ransomware attacks.
This conclusion is made with a moderate level of confidence.
It remains uncertain if the original ransomware groups authorized the subsequent instances of extortion or if the threat actor operated independently to obtain more funds from the targeted organizations.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 12 Jan 2024 04:10:13 +0000