Warning: A fake ‘security researcher’ is trying to trick ransomware victims

Beware of so-called security researchers emailing firms that have been victimized by ransomware and claiming to be able to recover their stolen data.

That’s the warning from researchers at Arctic Wolf, who have found at least two examples of what are being described as follow-on extortion attacks.

The fake researcher offers to hack into the server infrastructure of the original ransomware group to either recover or delete exfiltrated data. This is a scam whose goal is to get the victim organization to pay bitcoin for supposed assistance.

The report details two cases researchers investigated:

— in early October 2023, an entity describing themselves as “Ethical Side Group (ESG)” contacted a Royal ransomware victim by email and claimed to have obtained access to victim data originally exfiltrated by the crooks. Royal had told the victim firm it had deleted the stolen data.

“ESG” offered to hack into the ransomware gang’s server infrastructure and permanently delete the organization’s stolen data for a fee.

— in early November 2023, an entity describing themselves as “xanonymoux” contacted an Akira ransomware encryption victim and claimed to have obtained access to a server hosting victim data exfiltrated by the crooks. This despite the fact that Akira claimed it didn’t exfiltrate any data and had only encrypted the victim’s IT systems.

“Xanonymoux” claimed to have compromised Akira’s server infrastructure and offered to help either in deleting the victim’s allegedly stolen data or providing the victim firm with access to Akira’s server.

“Based on the common elements identified between the cases documented here, we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with follow-on efforts,” say the researchers. “However, it is still unclear whether the follow-on extortion cases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to garner additional funds from the victim organizations.

“This research highlights the risks of relying on criminal extortion enterprises to delete exfiltrated data, even after payment.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs