Threat actors posing as cybersecurity researchers approach victims of the Royal And Akira ransomware gangs, offering to delete files the groups have stolen – for a price.
It is unclear whether the fraudulent aid offers – described as an extortion campaign – are being made by the same criminals responsible for the first ransomware attacks.
What is likely, according to Arctic Wolf Labs researchers who have tracked “several” such interactions, is that a single group is carrying out the ensuing extortion operations.
Although it is common for ransomware gangs retarget the same victimsStefan Hostetler and Steven Campbell, senior threat intelligence researchers at Arctic Wolf, said they were not aware of any previous cases where a threat actor posed as a legitimate security researcher and had offered to delete data stolen by a ransomware group.
“In two cases investigated by Arctic Wolf Labs, the threat actors described trying to help victim organizations by offering to hack the server infrastructure of the ransomware groups initially involved to delete the exfiltrated data,” Hostetler and Campbell said in an article describing the campaign.
In the first case, someone claiming to be from an organization called Ethical Side Group (ESG) sent an email to a Royal ransomware victim in early October last year, claiming to have gained access to data that the gang had exfiltrated from the victim.
A month later, an Akira victim received a similar communication from an entity calling itself xanonymoux.
“xanonymoux claimed to have compromised Akira’s server infrastructure. The malicious actor offered to help either by deleting the victim’s data or giving them access to their server,” the researchers said.
Although ESG and xanonymoux presented themselves as separate, unrelated entities, the similarities between the two cases led Arctic Wolf to conclude that it was likely they were linked to a common actor. These similarities include posing as researchers, requesting payment of approximately 5 bitcoins (approximately $180,000), offering to provide proof of access to the exfiltrated data, and using similar wording in the emails sent to victims.
A logical conclusion was that actors associated with Royal and Akira were hiding behind fake entities in an attempt to retarget previous gang victims. But researchers said the complex dynamics of the ransomware ecosystem, where affiliates could be linked to multiple gangs, made proving this theory difficult.
“It’s difficult to make sense of the tangle of connections woven by ransomware groups, given that ransomware-as-a-service (RaaS) affiliates tend to exploit multiple encryption payloads over time , sometimes even deploying several at once,” they said. .
“The best we can do as researchers is piece together parts of the bigger picture by looking for common denominators between attacks. »
In an analysis of what we call “the gig economy of cybercrime”Microsoft’s threat intelligence team said the close relationships that previously linked initial entry vectors, tools and ransomware payload choices associated with particular ransomware strains were now less obvious.
“The RaaS affiliation model, which has allowed more criminals, regardless of their technical expertise, to deploy ransomware created or managed by someone else, weakens this link,” Microsoft researchers said.
“As ransomware deployment becomes an on-demand economy, it has become more difficult to tie the know-how used in a specific attack to the developers of the ransomware payload. »
Hostetler and Campbell said the similar elements identified between the cases reviewed suggested that a common threat actor launched a follow-up campaign with the aim of extorting organizations that had previously been victims of Royal and Akira ransomware attacks.
“However, it remains unclear whether subsequent extortion cases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to obtain additional funds from the victim organizations. »