Priya PatelThe Register has reported that victims of ransomware attacks are now being targeted in follow-on extortion attempts by criminals posing as helpful security researchers. Researchers at Arctic Wolf Labs identified two cases in which victims of the Royal and Akira ransomware gangs were approached by a “security researcher” offering post-exploitation services. The victims were offered the chance to have their stolen data deleted or gain access to the server storing their data, in exchange for a fee in Bitcoin. The researchers believe that the same individual or group is behind both cases, posing as separate entities. This is the first known instance of a threat actor posing as a security researcher to offer help in deleting hacked data. The researchers have identified a number of similarities between the extortion attempts, suggesting a common individual is behind both.
Re-extortion attempts are not new to the industry, but they have traditionally been conducted by the same ransomware groups using their own backdoors. It is unclear why victims of the Royal and Akira ransomware gangs were targeted in these follow-on extortion attempts, and whether the attacks were sanctioned by the ransomware groups or carried out by a separate individual or group. The researchers have suggested that the threat actor may have had access to the resources used by the ransomware gangs, as they had accurate knowledge of the amount of data exfiltrated, file listings, and ransom sums paid.
The two cases seen by Arctic Wolf Labs were both targeted at US-based SMBs in the finance and construction sectors. The researchers suggest that the low ransom demands indicate that the threat actor may have been acting individually rather than as part of a group, seeking to make a quick profit. The researchers are continuing to investigate the incidents, including the identities of the threat actor and their relationship with the ransomware gangs.
