The victims were promised full recovery of the stolen data, but it was not so easy.
Victims of the Royal and Akira ransomware were attacked by a fraudster posing as a cybersecurity researcher. The attacker promised to hack the servers of the original attackers and delete the stolen data.
Royal and Akira are known to use double extortion tactics: they encrypt victims systems after stealing confidential information, and then threaten to publish sensitive information if a ransom is not paid.
Arctic Wolf investigated two incidents in which organizations affected by the Royal and Akira ransomware, which had already paid a ransom, received an offer from a person posing as an ethical hacker. For their services, the criminal demanded a fee of up to 5 bitcoins (about $ 190,000 at that time).
The incidents occurred in October and November 2023. In the first case, the criminal acted on behalf of a fictional company called Ethical Side Group (ESG), mistakenly attributing the attack to the TommyLeaks hacker gang. Then he changed the legend and claimed that he actually had access to the servers of the Royal group. It is worth noting that the victim has already negotiated with ransomware from Royal in 2022.
In the second operation, the criminal used the pseudonym xanonymoux and offered to either delete files from Akira servers or provide access to their archives. However, a few weeks earlier, hackers reported that they did not steal any data, but only encrypted the victim's systems.
Analysis of the initial messages in messengers showed the use of 10 common phrases, as well as the same manipulations and "evidence" of data access. This was the main evidence that one person was behind both fraud attempts.
Such cases demonstrate the additional risks faced by ransomware victims. This could further add to their financial burden and extend the recovery period.
Cybercriminals are quickly adapting and looking for new ways to profit from their illegal activities. Therefore, organizations need to exercise caution and carefully check for any unexpected offers of assistance after security incidents. Otherwise, they risk falling for the tricks of scammers and losing even more money.
Victims of the Royal and Akira ransomware were attacked by a fraudster posing as a cybersecurity researcher. The attacker promised to hack the servers of the original attackers and delete the stolen data.
Royal and Akira are known to use double extortion tactics: they encrypt victims systems after stealing confidential information, and then threaten to publish sensitive information if a ransom is not paid.
Arctic Wolf investigated two incidents in which organizations affected by the Royal and Akira ransomware, which had already paid a ransom, received an offer from a person posing as an ethical hacker. For their services, the criminal demanded a fee of up to 5 bitcoins (about $ 190,000 at that time).
The incidents occurred in October and November 2023. In the first case, the criminal acted on behalf of a fictional company called Ethical Side Group (ESG), mistakenly attributing the attack to the TommyLeaks hacker gang. Then he changed the legend and claimed that he actually had access to the servers of the Royal group. It is worth noting that the victim has already negotiated with ransomware from Royal in 2022.
In the second operation, the criminal used the pseudonym xanonymoux and offered to either delete files from Akira servers or provide access to their archives. However, a few weeks earlier, hackers reported that they did not steal any data, but only encrypted the victim's systems.
Analysis of the initial messages in messengers showed the use of 10 common phrases, as well as the same manipulations and "evidence" of data access. This was the main evidence that one person was behind both fraud attempts.
Such cases demonstrate the additional risks faced by ransomware victims. This could further add to their financial burden and extend the recovery period.
Cybercriminals are quickly adapting and looking for new ways to profit from their illegal activities. Therefore, organizations need to exercise caution and carefully check for any unexpected offers of assistance after security incidents. Otherwise, they risk falling for the tricks of scammers and losing even more money.
