It’s unclear whether the fraudulent offers of help – described as a follow-on extortion campaign – are being made by the same criminals responsible for the initial ransomware attacks.
What is likely, according to Arctic Wolf Labs researchers who have tracked “several” such interactions, is that a single group is carrying out the following-on extortion bids.
While it’s common for ransomware gangs to retarget the same victims, Arctic Wolf senior threat intelligence researchers Stefan Hostetler and Steven Campbell said they were not aware of any previous instances where a threat actor had posed as a legitimate security researcher and offered to delete data from stolen by a ransomware group.
“In two cases investigated by Arctic Wolf Labs, threat actors spun a narrative of trying to help victim organizations, offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated data,” Hostetler and Campbell said in a post outlining the campaign.
In the first case a person claiming to be from an organization called Ethical Side Group (ESG) emailed a Royal ransomware victim in early October last year claiming to have obtained access to data the gang had exfiltrated from the victim.
A month later, an Akira victim received a similar communication from an entity calling itself xanonymoux.
“xanonymoux claimed to have compromised Akira’s server infrastructure. The threat actor offered to aide in either deleting the victim’s data or providing them with access to their server,” the researchers said.
While ESG and xanonymoux presented themselves as separate, unrelated entities, similarities between the two cases led Arctic Wolf to conclude it was likely they were linked to a common actor. Those similarities included posing as researchers, asking for payment of around 5 bitcoin (about $180,000), offering to provide proof of access to the exfiltrated data, and the use of similar phrasing in the emails sent to the victims.
One logical conclusion was that actors associated with Royal and Akira were hiding behind fake entities in an attempt to retarget the gangs’ previous victims. But the researchers said the complex dynamics of the ransomware ecosystem, where affiliates could be tied to more than one gang, made it difficult to prove that theory.
“It is challenging to make sense of the tangled web of connections woven by ransomware groups, given that ransomware-as-a-service (RaaS) affiliates tend to operate multiple encryption payloads over time, sometimes even deploying several at once,” they said.
“The best we can do as researchers is to piece together parts of the bigger picture by looking for common denominators between attacks.”
In an analysis of what is called “the cybercrime gig economy”, Microsoft’s threat intelligence team said tight relationships that previously linked initial entry vectors, tools, and ransomware payload choices associated with particular ransomware strains were now less obvious.
“The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link,” Microsoft’s researchers said.
“As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.”
Hostetler and Campbell said the similar elements identified between the cases it examined suggested a common threat actor had instigated a follow-on campaign in a bid to extort organizations who were previously victims of Royal and Akira ransomware attacks.
“However, it is still unclear whether the follow-on extortion cases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to garner additional funds from the victim organizations.”