Ransomware victims already reeling from potential biz disruption and the cost of resolving the matter are now being subjected to follow-on extortion attempts by criminals posing as helpful security researchers.
Researchers at Arctic Wolf Labs publicized two cases in which casulaties of the Royal and Akira ransomware gangs were targeted by a third party, believed to be the same individual or group in both scenarios, and extorted by a fake cyber samaritan.
Victims were approached by a “security researcher” who offered post-exploitation services. In one case, the mark was told the ransomware gang’s server could be hacked and their stolen data could be deleted.
Another victim was told the “researcher,” who used different monikers in each attempt, gained access to the servers used to store victims’ stolen data, offering the chance to either delete it or grant the victim access to the server themselves.
In return, the hacked customers were asked for a fee of approximately 5 Bitcoin ($225,823 at today’s exchange rate).
“As far as Arctic Wolf Labs is aware, this is the first published instance of a threat actor posing as a legitimate security researcher offering to delete hacked data from a separate ransomware group,” Stefan Hostetler and Steven Campbell, both senior threat intelligence researchers at Arctic Wolf, blogged.
“While the personalities involved in these secondary extortion attempts were presented as separate entities, we assess with moderate confidence that the extortion attempts were likely perpetrated by the same threat actor.”
Despite using different aliases in each extortion attempt, there were a number of similarities found between the communications with the victims to indicate a common individual was behind both:
- Claimed to be a security researcher
- Claimed to have access to stolen data via ransomware gangs’ servers
- Communicated via anonymous messenger Tox
- Offered to provide proof of access to exfiltrated data
- Use of file.io to provide evidence of access to victim data
- Implied the victim would be at risk of future attacks if their services weren’t accepted
- Specified amount of data previously exfiltrated
- Similar payment demand
- As many as ten overlapping phrases used in the opening email
Re-extortion attempts aren’t new to the industry: they’ve always been conducted by the same ransomware groups, using their own previously used backdoors, rather than a third party. Conti and Karakurt are both believed to have carried out such attacks, for example.
Conti was also involved in a number of cases involving ransomware victims being targeted by multiple gangs simultaneously. In 2022, a Canadian healthcare org was hit by Conti and Karma at the same time after exploiting ProxyShell.
During the same year, Conti was again caught double-teaming a target – the Costa Rican government – alongside rival group Hive.
LockBit, Hive, and AlphV also attacked an unnamed automotive supplier in May 2022. UK security shop Sophos was called in to clean up the mess, only to find all three used the same entry point (management server) via a shared RDP session.
Speaking to The Register, Adrian Korn, senior manager, threat intelligence research at Arctic Wolf Labs, said the two cases seen by researchers appear to be the only ones attempted at present, and neither resulted in a payment made to the cybercriminal behind them.
Without identifying the victims explicitly, Korn revealed they were both US-based SMBs in the finance and construction sectors.
“It is unclear why these victims were targeted, but the ransom demands were low enough to suggest the threat actor may have been acting individually rather than as part of a group.”
What’s also unclear is why victims of Royal and Akira ransomware were targeted. With a small number of confirmed cases, the researchers haven’t been able to conclusively determine the in-depth methodology.
Korn did, however, allude to a suspicion that the individual or individuals behind the extortion attempts may have had access to the resources used by both ransomware gangs.
An analysis of the conversations held between the extortionist and rtheir prey showed the criminal had accurate knowledge of the amount of data exfiltrated from them, file listings, and in one case the ransom sum that was paid.
“Sometimes threat actors break off from larger groups and act independently, desperate to make a quick buck,” said Korn. “While we are still piecing together what happened here, these follow-on extortion attempts seem to fit that narrative, given the low ransom demands.”
If the same criminal was behind both follow-on extortion attempts, they used a different moniker in each case. In one, they referred to themselves as Ethical Side Group (ESG) and xanonymoux in another.
Neither alias has an established presence on the cybercrime scene or is known to threat intelligence experts for prior incidents – the identities are simply thought to be throwaways.
Researchers are still working to understand many parts of both incidents, including whether the ransomware gangs sanctioned the follow-up extortion attempts or if it was a separate individual or group acting alone. ®