Crooks Pose as Researchers to Retarget Ransomware Victims

Victims of Royal and Akira ransomware are being targeted by actors masquerading as cybersecurity researchers offering to delete the files stolen by the two ransomware gangs. According to Artic Wolf Labs, who have tracked several interactions, these actors contact victims stating they will hack into the server infrastructure of the original ransomware groups involved to delete the exfiltrated data. Two such cases were observed by Artic Wolf Labs, one which took place in October last year where a person claiming to be from the Ethical Side Group emailed a Royal ransomware victim, claiming they had access to the data stolen by the gang from the victim. The other took place a month later, where a similar message was sent to an Akira victim by an individual who goes by the name ‘xanonymoux.’ In both cases, victims were requested around 5 bitcoin to retrieve and delete the stolen data. Based on these details and the masquerading of security researchers, Artic Wolf Labs suspects the two cases to be linked to a common actor.

Security Officer Comments:
In the past, we have observed threat actors deploy two or more ransomware strains to get victims to pay a ransom twice. Although it’s unclear if Akira and Royal are employing follow-up extortion schemes or if a different actor is acting on their own, the latest tactic employed is novel in the sense that the cybercriminals as posing as security researchers to launder funds from ransomware victims.