Some organizations victimized by the Royal and Akira ransomware gangs have been targeted by a threat actor posing as a security researcher who promised to hack back the original attacker and delete stolen victim data.
Both Royal and Akira ransomware operations use the double extortion tactic - encrypting victim systems after stealing info, and threaten with a data leak unless a ransom is paid.
The fake researcher offered to provide proof of access to the stolen data still on the attacker's servers and said they could delete it for a fee of up to five Bitcoins.
Arctic Wolf's report presents two cases from October and November 2023, where the cybercriminal contacted organizations that had been compromised by Royal and Akira ransomware.
In the first case, the scammer posed as the 'Ethical Side Group' and initially mistakenly attributed the attack to the 'TommyLeaks' gang, later switching to a narrative claiming access to Royal's server.
It is worth noting that this victim had engaged in negotiations with the ransomware actor a year before, in 2022.
In the second incident, the scammer used the moniker 'xanonymoux' and offered to delete files on Akira's servers or provide access to the actor's server.
In communication several weeks before the hack-back offer, Akira said they did not exfiltrate any data and their attack only encrypted the breached systems.
Arctic Wolf reports that the initial communication over an instant messaging program contained ten common phrases and the same method was used for providing proof of access to the stolen data.
This suggests that the same individual was behind both attempts.
Ransomware attacks present a complex web of challenges for victims, extending far beyond the immediate crisis of encrypted and stolen data, having an enduring effect.
These scamming attempts highlight yet another aspect of the multi-layered problem and constitute additional risks that can compound the financial burden for ransomware victims.
Nissan Australia cyberattack claimed by Akira ransomware gang.
MGM casino's ESXi servers allegedly encrypted in ransomware attack.
HTC Global Services confirms cyberattack after data leaked online.
Tipalti investigates claims of data stolen in ransomware attack.
Qilin ransomware claims attack on automotive giant Yanfeng.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 09 Jan 2024 21:10:28 +0000