Ransomware victims lured by false offers to counter-hack attackers

Threat actors are posing as helpful cyber security researchers, promising known victims of ransomware attacks that, for a hefty fee, they will hack the offending hackers back and delete any stolen data.

An investigation by cyber security firm Arctic Wolf has reportedly uncovered several instances in which victims of ransomware attacks claimed by the Akira and Royal ransomware groups that paid a ransom were contacted for additional attempts at extortion.

On top of this, the company observed two cases where the threat actors reaching out to the victims claimed to be ethical hackers or cyber security researchers, offering to hack the two ransomware giants back and secure and delete the stolen data.

The “ethical hacker” generously offered their services for a mere five bitcoins (roughly $340,000 at the time of writing.)

============

The two instances were observed in October and November of last year, with the first reaching out to a victim claiming to be from “Ethical Side Group” (ESG).

The threat actor, in this instance, originally said it had access to the data of the TommyLeaks gang, before correcting itself after realising they were talking to a victim of Royal ransomware.

“Notably, in prior negotiations in 2022, Royal claimed to have deleted the data,” said Arctic Wolf.

In the second case, just a month later, a victim of the Akira ransomware gang was contacted by a user going by the name “xanonymoux”, who said it had compromised the ransomware group’s server infrastructure and offered to either assist the victim in deleting the data or granting them access.

It also claimed that Akira was associated with the Karakurt criminal group, known for data exfiltration and theft.

VIEW ALL

“Notably, when Akira was contacted a few weeks before xanonymoux’s email, the group claimed not to have exfiltrated any data and that they had only encrypted systems,” added Arctic Wolf.

As Arctic Wolf points out, these cases bear several similarities despite claiming to be different entities and having knowledge of different organisations.

Similarities include:

Presented as a security researcher.
Claimed to access server infrastructure hosting data from past compromise.
Communicated via Tox.
Offered to provide proof of access to exfiltrated data.
Insinuated risk of future attacks if security issues are not addressed.
Specified amount of data previously exfiltrated.
Minimal payment demand (<= 5BTC).
Ten overlapping phrases used in initial email.
Use of file.io to provide evidence of access to victim data.

Follow-on attacks aren’t new, and victims of ransomware attacks who meet the demands of attackers paint a target on themselves that notifies threat actors that there is money to be made. Arctic Wolf said these follow-on attacks have been observed with cases connected with the Karakurt and Conti crime groups.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

Ransomware victims lured by false offers to counter-hack attackers

Daniel Croft

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED