The Royal and Akira ransomware groups have actively targeted specific organizations.
The Royal and Akira ransomware groups have actively targeted specific organizations. However, the Royal and Akira ransomware groups targeted specific organizations, and some fell victim to a threat actor posing as a security researcher. Consequently, this individual falsely pledged to retaliate against the initial attackers by erasing the stolen victim data.
Both the Royal and Akira ransomware operations employ the double extortion strategy. They encrypt victim systems after extracting information and threaten to leak the data unless a ransom is paid.
In the cybersecurity landscape, Arctic Wolf reports that it investigated “several cases.” In these instances, victims of these ransomware groups, who had already paid a ransom, encountered an imposter claiming to be an ethical hacker or security researcher. Subsequently, this fake researcher asserted a deep understanding of the field. They offered to provide evidence of access to the stolen data on the attacker’s servers and proposed to delete the data for a fee of up to five Bitcoins (approximately $190,000 at the time).
Arctic Wolf’s report cites two instances from October and November 2023. In these situations, the threat actor contacted organizations compromised by Royal and Akira ransomware.
In the first case, the scammer assumed the identity of the ‘Ethical Side Group’ (ESG). Initially, they misattributed the attack to the ‘TommyLeaks’ gang. Later on, they shifted the narrative to claim access to Royal’s server. Notably, this victim had engaged in negotiations with the ransomware actor a year prior, in 2022.
In the second incident, the imposter went by the alias ‘xanonymoux.’ They offered to delete files on Akira’s servers or provide access to the actor’s server. However, weeks before the hack-back offer, Akira stated that they had not exfiltrated any data. Their attack had solely encrypted the breached systems. Moreover, Arctic Wolf reports that the initial communications through an instant messaging program featured ten common phrases, indicating the same individual behind both attempts.
Ransomware attacks present victims with a multifaceted challenge. They extend beyond the immediate crisis of encrypted and stolen data, with enduring effects. Consequently, these fraudulent attempts underscore another layer of the complex problem. They add additional risks that can compound the financial burden for ransomware victims.
Story credit
Related stories: