Warning: A fake ‘security researcher’ is trying to trick ransomware victims

Share post:

Beware of so-called security researchers emailing firms that have been victimized by ransomware and claiming to be able to recover their stolen data.

That’s the warning from researchers at Arctic Wolf, who have found at least two examples of what are being described as follow-on extortion attacks.

The fake researcher offers to hack into the server infrastructure of the original ransomware group to either recover or delete exfiltrated data. This is a scam whose goal is to get the victim organization to pay bitcoin for supposed assistance.

The report details two cases researchers investigated:

— in early October 2023, an entity describing themselves as “Ethical Side Group (ESG)” contacted a Royal ransomware victim by email and claimed to have obtained access to victim data originally exfiltrated by the crooks. Royal had told the victim firm it had deleted the stolen data.

“ESG” offered to hack into the ransomware gang’s server infrastructure and permanently delete the organization’s stolen data for a fee.

— in early November 2023, an entity describing themselves as “xanonymoux” contacted an Akira ransomware encryption victim and claimed to have obtained access to a server hosting victim data exfiltrated by the crooks. This despite the fact that Akira claimed it didn’t exfiltrate any data and had only encrypted the victim’s IT systems.

“Xanonymoux” claimed to have compromised Akira’s server infrastructure and offered to help either in deleting the victim’s allegedly stolen data or providing the victim firm with access to Akira’s server.

“Based on the common elements identified between the cases documented here, we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with follow-on efforts,” say the researchers. “However, it is still unclear whether the follow-on extortion cases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to garner additional funds from the victim organizations.

“This research highlights the risks of relying on criminal extortion enterprises to delete exfiltrated data, even after payment.”

The post Warning: A fake ‘security researcher’ is trying to trick ransomware victims first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways