The Royal and Akira victims were subjected to repeated extortion attacks from a benevolent security researcher.
The Arctic Wolf Labs team has discovered a new fraud scheme targeting victims of ransomware. According to Arctic Wolf, those affected by the actions of the Royal and Akira groups were targets for third parties posing as "benevolent security researchers." The attackers offered services to delete stolen data for a fee.
Victims of the ransomware were contacted by a person posing as a security researcher. One of the victims was asked to hack into the ransomware group's server and delete the stolen data. To another victim, the attacker offered access to the servers where the stolen data was stored, with the possibility of deleting them or granting access to the server to the victim himself. For their services, the scammers demanded a payment of about 5 BTC ($225,823 at today's exchange rate).
Arctic Wolf noted that this is the first recorded case when an attacker, posing as a security researcher, offered to delete data stolen by another group of ransomware. Previously, similar attempts at repeated extortion were carried out by the same groups of extortionists who stole the victim's data.
Despite the use of different aliases for each extortion attempt, a number of similarities were found in communication with the victims, which indicates that the same person is behind the fraud:
So far, only 2 cases of such extortion attempts have been noticed, and none of them has led to success. The victims were 2 American companies from the financial and construction sectors.
It is not yet clear why the Royal and Akira ransomware victims were targeted in these attacks. Experts suggest that a separate cybercriminal or a group that has access to the resources of both groups of ransomware could have been behind the extortion attempts. Researchers continue to study all aspects of the detected incidents, including possible approval by groups of subsequent actions of the ransomware.
The Arctic Wolf Labs team has discovered a new fraud scheme targeting victims of ransomware. According to Arctic Wolf, those affected by the actions of the Royal and Akira groups were targets for third parties posing as "benevolent security researchers." The attackers offered services to delete stolen data for a fee.
Victims of the ransomware were contacted by a person posing as a security researcher. One of the victims was asked to hack into the ransomware group's server and delete the stolen data. To another victim, the attacker offered access to the servers where the stolen data was stored, with the possibility of deleting them or granting access to the server to the victim himself. For their services, the scammers demanded a payment of about 5 BTC ($225,823 at today's exchange rate).
Arctic Wolf noted that this is the first recorded case when an attacker, posing as a security researcher, offered to delete data stolen by another group of ransomware. Previously, similar attempts at repeated extortion were carried out by the same groups of extortionists who stole the victim's data.
Despite the use of different aliases for each extortion attempt, a number of similarities were found in communication with the victims, which indicates that the same person is behind the fraud:
- Submitted by a security researcher;
- Claims to have access to stolen data through the servers of ransomware groups;
- Communication is conducted through the anonymous Tox messenger;
- Ready to provide proof of access to stolen data;
- Using the file service file.io to demonstrate access to the victim's data;
- Hints at the risk of future attacks if the victim refuses its services;
- Specifies the amount of stolen data;
- Requires a similar ransom amount;
- Uses up to 10 identical phrases in introductory emails.
So far, only 2 cases of such extortion attempts have been noticed, and none of them has led to success. The victims were 2 American companies from the financial and construction sectors.
It is not yet clear why the Royal and Akira ransomware victims were targeted in these attacks. Experts suggest that a separate cybercriminal or a group that has access to the resources of both groups of ransomware could have been behind the extortion attempts. Researchers continue to study all aspects of the detected incidents, including possible approval by groups of subsequent actions of the ransomware.
