Ransom Attackers Impersonate Security Researchers

Ransom attackers have a new exploit - they pretend to be legitimate security researchers who promise to hack into the infrastructure of original ransomware gang to delete an organisation’s stolen data for a fee. 

 Arctic Wolf Labs has reported that victim organisations were contacted by the perpetrators after suffering security breaches in the firs reported  instance of malicious actors impersonating researchers, when they were likely the original hacker.

Arctic Wolf is aware of several instances of ransomware cases where the victim organisations were contacted after the original compromise for additional extortion attempts. “In two cases investigated by Arctic Wolf Labs, threat actors spun a narrative of trying to help victim organisations, offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated data,” says the Arctic Wolf security bulletin. 

Ransomware is a type of malware which prevents you from accessing your devices and the data stored on it, usually by encrypting your files and then a cyber criminal will demand a ransom in exchange for decryption. The hackers may also threaten to leak the data they have stolen. The instructions for payment are displayed and are demanded in bitcoins. After the payment is made, decryption key is sent to the victim.

The first case was first identified in October 2023 and targeted victims of Royal ransomware attackers, who were contacted by an entity called the Ethical Side Group (ESG) claiming that they had gained access to the victim’s stolen data. 

The ESG offered to hack Royal ransomware and delete the previously stolen data for a fee, despite claims that Royal ransomware had previously deleted the data.

The second known instance was  similar, in which a separate entity called 'xanonymoux' contacted a victim of the Akira ransomware encryption attack, claiming they had access to a separate server that hosted the victim’s exfiltrated data and could delete the victim’s data or give the victim access to their server. This was despite the fact that Akira claimed to have only encrypted systems and did not claim to have exfiltrated the victim’s data.

These two cases share similarities, including communication via the Tox messaging platform, posing as a security researcher, claiming access to server infrastructure, offering to prove access to stolen data, specifying the amount of stolen data, and demanding a fee of five Bitcoins ($200,000).

Arctic Wolf's Report highlights the serious risks of relying on criminal extortion enterprises to delete exfiltrated data, even after the payment has been made. 

It is still not known whether the exploit was conducted by the original ransomware groups.

Arctic Wolf:    Arctic Wolf:     Cybernews:     I-HLS:    HelpNetSecurity:      BankInfoSecrutity:     NCA

CyberSecurityNews:     Sanjay Fuloria:      DataBreaches:

Image:  Sammy Sander

You Might Also Read: 

Winning The Battle Against Ransomware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Cyber Incidents Are The Biggest Risk To Business
Anonymous Sudan Attack London Internet Facility »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Ilex International

Ilex International

Ilex International is a European software vendor which specialises in Identity & Access Management solutions.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

Norwegian Business & Industry Security Council (NSR)

Norwegian Business & Industry Security Council (NSR)

NSR is a member organization serving the Norwegian business sector in an advisory capacity on matters relating to crime and security including cyber.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

Maticmind

Maticmind

Maticmind is an ICT System Integrator providing solutions and specialized skills in Networking, Security, Unified Communications & Collaboration, Datacenter & Cloud and Application.

Tesorion

Tesorion

Tesorion is a fusion of different enterprises each with its own specialisation in the field of cybersecurity. We have combined these specialisations to create an integrated comprehensive solution.

Concordium

Concordium

Concordium aims to build the world’s leading open-source, permissionless, and decentralized blockchain with built-in user identity at the protocol level.

Gytpol

Gytpol

Gytpol is a leader in Endpoint Configuration Security (ECS) solutions, providing validation, remediation & securing of IT Policies and IT Infrastructure on-premise and in the cloud.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

Cyphere

Cyphere

Cyphere is a cyber security company that helps to secure most prized assets of a business. We provide technical risk assessment (pen testing/ethical hacking) and managed security services.

Contechnet Deutschland

Contechnet Deutschland

Contechnet Deutschland started as a specialist in the area of IT disaster recovery and has since broadened its portfolio into information security and data protection.

SubCom

SubCom

How Much Do You Trust Your Endpoint? With our ‘Habituation Neural Fabric’ based endpoint security platform, you can observe and manage the Trust Score of your endpoints in real-time.

Aembit

Aembit

Aembit is the Identity Platform that lets DevOps and Security manage, enforce, and audit access between federated workloads

Cypago

Cypago

Cypago provides a powerful yet easy-to-use Compliance Orchestration Platform to automate the compliance process end-to-end.

Secuvy

Secuvy

Secuvy leads in data security, privacy, compliance, and governance, offering a unified platform for proactive data discovery, management, protection, and enhanced data value.

PayPal Ventures

PayPal Ventures

PayPal Ventures invests in companies at the forefront of innovation in fintech, payments, commerce enablement, artificial intelligence, blockchain and cryptocurrency, regulatory and cyber technology.