Ransomware victims already reeling from potential biz disruption and the cost of resolving the matter are now being subjected to follow-on extortion attempts by criminals posing as helpful security researchers.
Researchers at Arctic Wolf Labs publicized two cases in which casulaties of the Royal and Akira ransomware gangs were targeted by a third party, believed to be the same individual or group in both scenarios, and extorted by a fake cyber samaritan.
In one case, the mark was told the ransomware gang's server could be hacked and their stolen data could be deleted.
Re-extortion attempts aren't new to the industry: they've always been conducted by the same ransomware groups, using their own previously used backdoors, rather than a third party.
Conti and Karakurt are both believed to have carried out such attacks, for example.
Conti was also involved in a number of cases involving ransomware victims being targeted by multiple gangs simultaneously.
In 2022, a Canadian healthcare org was hit by Conti and Karma at the same time after exploiting ProxyShell.
During the same year, Conti was again caught double-teaming a target - the Costa Rican government - alongside rival group Hive.
LockBit, Hive, and AlphV also attacked an unnamed automotive supplier in May 2022.
UK security shop Sophos was called in to clean up the mess, only to find all three used the same entry point via a shared RDP session.
Speaking to The Register, Adrian Korn, senior manager, threat intelligence research at Arctic Wolf Labs, said the two cases seen by researchers appear to be the only ones attempted at present, and neither resulted in a payment made to the cybercriminal behind them.
Without identifying the victims explicitly, Korn revealed they were both US-based SMBs in the finance and construction sectors.
What's also unclear is why victims of Royal and Akira ransomware were targeted.
With a small number of confirmed cases, the researchers haven't been able to conclusively determine the in-depth methodology.
Korn did allude to a suspicion that the individual or individuals behind the extortion attempts may have had access to the resources used by both ransomware gangs.
An analysis of the conversations held between the extortionist and rtheir prey showed the criminal had accurate knowledge of the amount of data exfiltrated from them, file listings, and in one case the ransom sum that was paid.
If the same criminal was behind both follow-on extortion attempts, they used a different moniker in each case.
In one, they referred to themselves as Ethical Side Group and xanonymoux in another.
Neither alias has an established presence on the cybercrime scene or is known to threat intelligence experts for prior incidents - the identities are simply thought to be throwaways.
Researchers are still working to understand many parts of both incidents, including whether the ransomware gangs sanctioned the follow-up extortion attempts or if it was a separate individual or group acting alone.
This Cyber News was published on go.theregister.com. Publication date: Wed, 10 Jan 2024 17:58:06 +0000