Warning: A fake ‘security researcher’ is trying to trick ransomware victims

Beware of so-called security researchers emailing firms that have been victimized by ransomware and claiming to be able to recover their stolen data.

That’s the warning from researchers at Arctic Wolf, who have found at least two examples of what are being described as follow-on extortion attacks.

The fake researcher offers to hack into the server infrastructure of the original ransomware group to either recover or delete exfiltrated data. This is a scam whose goal is to get the victim organization to pay bitcoin for supposed assistance.

The report details two cases researchers investigated:

— in early October 2023, an entity describing themselves as “Ethical Side Group (ESG)” contacted a Royal ransomware victim by email and claimed to have obtained access to victim data originally exfiltrated by the crooks. Royal had told the victim firm it had deleted the stolen data.

“ESG” offered to hack into the ransomware gang’s server infrastructure and permanently delete the organization’s stolen data for a fee.

— in early November 2023, an entity describing themselves as “xanonymoux” contacted an Akira ransomware encryption victim and claimed to have obtained access to a server hosting victim data exfiltrated by the crooks. This despite the fact that Akira claimed it didn’t exfiltrate any data and had only encrypted the victim’s IT systems.

“Xanonymoux” claimed to have compromised Akira’s server infrastructure and offered to help either in deleting the victim’s allegedly stolen data or providing the victim firm with access to Akira’s server.

“Based on the common elements identified between the cases documented here, we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with follow-on efforts,” say the researchers. “However, it is still unclear whether the follow-on extortion cases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to garner additional funds from the victim organizations.

“This research highlights the risks of relying on criminal extortion enterprises to delete exfiltrated data, even after payment.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.