Victims of Royal and Akira ransomware attacks from October 2023 were the target of follow-up extortion attempts. After the first blackmail, alleged helpers came forward. For a large fee, they would ensure that the exfiltrated data would be permanently deleted.
The Arctic Wolf Labs research team has investigated several cases where victims of Royal and Akira ransomware attacks were the target of follow-up extortion attempts starting in October 2023. In two of the cases examined, the threat actors claimed to want to support the victim organizations. They offered to hack into the server infrastructure of the original ransomware groups involved in order to delete the exfiltrated data.
Double blackmail – double damage
To our knowledge, this is the first published case of a threat actor posing as a legitimate security researcher and offering to remove hacked data from another ransomware group. Although the individuals involved in the second extortion attempt were portrayed as different actors, based on the similarities analyzed between the cases, Arctic Wolf Labs suspects that the subsequent extortion attempts were likely carried out by the same threat actor.
In the first case, in October 2023, an organization calling itself the Ethical Side Group (ESG) contacted a Royal ransomware victim via email and claimed to have gained access to the victim data originally exfiltrated by Royal. Royal himself claimed in earlier negotiations in 2022 that he had deleted the data.
Interestingly, in its initial communications, ESG incorrectly attributed the original compromise to the ransomware group TommyLeaks rather than Ransomware Royal. ESG ultimately offered to break into the Royal ransomware's server infrastructure and permanently delete the target organization's data for a fee.
Double extortion: 200.000 euros in fees
In the second case, in November 2023, a company calling itself xanonymoux contacted an Akira ransomware encryption victim. They claimed to have gained access to a server hosting victim data exfiltrated by Akira. The first negotiation with Akira a few weeks earlier was only about encrypted systems. Never about exfiltrated data.
xanonymoux claimed to have compromised Akira's server infrastructure. The threat actor offered to help, for a fee, by either deleting the victim's data or giving them access to the Akira server. In all cases, the fee should be at least 5 Bitcoins, which currently corresponds to around 200.000 euros.
There is no guarantee of file deletion
The concept of subsequent blackmail in attacks is not new, as the context of Conti and Karakurt shows. In 2021, there have already been Karakurt extortion attempts from victims who were previously targeted by Conti ransomware attacks. Additionally, research has also found connections between Conti and Akira.
Extorted companies should be aware that once a ransom is paid for exfiltrated victim data, there is no guarantee that the data will actually be deleted.
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.