Victims of the Akira and Royal ransomware face additional extortion attempts. The methods used in the “follow-on extortion campaign” are pretty unique.
That is the finding of researchers of Arctic Wolf. Victims were supposedly offered help in the new extortion attempt. “This is the first published instance of a threat actor posing as a legitimate security researcher offering to delete hacked data from a separate ransomware group,” Arctic Wolf said.
Akira and Royal
The security researchers identified two separate instances of the follow-on extortion tactic. For example, in early November, an Akira victim was contacted by xanonymoux. This malicious party claimed access to a server on which Akira hosted exfiltrated data. It was notable that Akira itself, several weeks before the email from xanonymoux, claimed not to have exfiltrated the victim’s data—Akira allegedly only encrypted systems.
Xanonymoux offered the victim two options: delete the victim’s data or give the victim access to the server. In addition, xanonymoux claimed that Akira is linked to Karakurt, the group that practices data exfiltration and extortion.
With the Royal victim, things went a little differently. In early October, it received an email from Ethical Side Group claiming access to data exfiltrated by Royal. In its original negotiations with the victim, the hacker group Royal claimed to have deleted data. ESG even claimed in the email communication that the original hack came from the TommyLeaks group rather than Royal. Eventually, ESG suggested to the victim that they hack Royal’s server infrastructure and remove the data.
It is not known exactly who is behind the new attacks.
Tip: Vulnerability in Black Basta ransomware enables decryption