This post may contain affiliate links, please read our affiliate disclosure to learn more.
The threat actor posing as an ethical hacker

Threat Actors Posing as Ethical Hackers

 By Nataly Vovk | Threat Intelligence Analyst
 Published on January 10th, 2024
This post was updated on January 21st, 2024

A concerning trend has emerged in the digital security landscape in recent months. Victims of the notorious Royal and Akira ransomware attacks, which have caused significant disruption since October 2023, are now facing a new threat: follow-on extortion schemes. Investigations conducted by Arctic Wolf Labs have revealed a complex web of scams targeting these already vulnerable victims.

Kay Takeaways

  • Victims of Royal and Akira ransomware attacks, prevalent since October 2023, are now facing an additional threat in the form of follow-on extortion schemes
  • Arctic Wolf has uncovered a series of complex scams targeting organizations previously victimized by these ransomware attacks
  • Organizations that paid the ransom are being approached by impostors claiming to be ethical hackers who offer to delete or provide access to the stolen data

Arctic Wolf, a cybersecurity firm, has investigated numerous instances where organizations targeted by Royal and Akira ransomware attacks and who paid the ransom were subsequently approached by an individual masquerading as an ethical hacker or a knowledgeable security researcher.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

This impostor claimed the ability to access stolen data that was still retained on the attackers’ servers. They offered to provide evidence of this access and proposed to erase the data in exchange for a payment, demanding up to five Bitcoins.

In one case, the fraudster identified themselves as part of the ‘Ethical Side Group’ (ESG). Initially, they incorrectly blamed the ‘TommyLeaks’ group for the attack. However, they later shifted their story, claiming they had gained access to Royal’s server, thus changing their narrative.

In the second case, the individual behind the scam adopted the alias ‘xanonymoux’ and proposed to either erase files from Akira’s servers or grant access to the perpetrator’s server.

In both instances, the scammer used different aliases but demonstrated similar methods, such as using common phrases and a consistent approach to communicating with the victims. However, the legitimacy of these offers and the connection to the original ransomware groups like Conti, Royal, and Akira remains shrouded in uncertainty.

The extortion demands have been noted to be of relatively low value, but they carry unique campaign elements, which further complicates the issue. The common elements observed in these cases suggest a single threat actor could be behind these attempts, potentially exploiting the already dire situation of the ransomware victims for personal gain.

These incidents highlight the increasingly complex challenges faced by victims of cybercrimes, particularly those already reeling from ransomware attacks. The additional layer of risk posed by these opportunistic follow-on extortion schemes underscores the need for heightened vigilance and robust digital security measures.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top