Beware of so-called security researchers emailing firms that have been victimized by ransomware and claiming to be able to recover their stolen data.
That’s the warning from researchers at Arctic Wolf, who have found at least two examples of what are being described as follow-on extortion attacks.
The fake researcher offers to hack into the server infrastructure of the original ransomware group to either recover or delete exfiltrated data. This is a scam whose goal is to get the victim organization to pay bitcoin for supposed assistance.
The report details two cases researchers investigated:
— in early October 2023, an entity describing themselves as “Ethical Side Group (ESG)” contacted a Royal ransomware victim by email and claimed to have obtained access to victim data originally exfiltrated by the crooks. Royal had told the victim firm it had deleted the stolen data.
“ESG” offered to hack into the ransomware gang’s server infrastructure and permanently delete the organization’s stolen data for a fee.
— in early November 2023, an entity describing themselves as “xanonymoux” contacted an Akira ransomware encryption victim and claimed to have obtained access to a server hosting victim data exfiltrated by the crooks. This despite the fact that Akira claimed it didn’t exfiltrate any data and had only encrypted the victim’s IT systems.
“Xanonymoux” claimed to have compromised Akira’s server infrastructure and offered to help either in deleting the victim’s allegedly stolen data or providing the victim firm with access to Akira’s server.
“Based on the common elements identified between the cases documented here, we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with follow-on efforts,” say the researchers. “However, it is still unclear whether the follow-on extortion cases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to garner additional funds from the victim organizations.
“This research highlights the risks of relying on criminal extortion enterprises to delete exfiltrated data, even after payment.”