January 10, 2024 at 12:07PM
Ransomware victims facing extortion attempts from a third party posing as a security researcher. Arctic Wolf Labs highlighted cases involving victims of Royal and Akira gangs being extorted by an individual or group, requesting a fee of 5 Bitcoin. The victims, US-based SMBs in finance and construction, did not pay the extortionist. The motives and involvement of ransomware gangs remain unclear.
The meeting notes provide details about an alarming trend of ransomware victims facing follow-on extortion attempts by criminals posing as security researchers. These criminals have targeted victims of the Royal and Akira ransomware gangs, offering post-exploitation services such as deleting stolen data or granting access to it for a fee of approximately 5 Bitcoin. Arctic Wolf Labs’ researchers have identified similarities between these extortion attempts and believe they are likely perpetrated by the same threat actor.
It is noted that re-extortion attempts are not entirely new in the industry, with previous instances conducted by ransomware groups themselves using their backdoors, rather than by a third party. The notes also mention cases where multiple ransomware groups targeted victims simultaneously, as well as the involvement of different ransomware groups in various attacks.
The victims of the follow-on extortion attempts, revealed to be US-based SMBs in the finance and construction sectors, did not make any payments to the cybercriminal behind the attempts. The researchers suspect that the threat actor may have had access to the resources used by both ransomware gangs, as indicated by their accurate knowledge of the exfiltrated data and ransom amounts.
It is unclear why these victims were targeted or whether the ransomware gangs sanctioned the follow-up extortion attempts. The extortionist used different monikers in each case, with no established presence on the cybercrime scene, suggesting that these identities were disposable.
The researchers are still working to understand various aspects of both incidents, including whether the ransomware gangs were involved in the follow-up extortion attempts or if it was an individual or group acting alone.
Please let me know if you need any further information or if there are any specific actions you’d like to take based on these meeting notes.