This post is also available in: heעברית (Hebrew)

Multiple extortion attempts were conducted by threat actors who posed as legitimate security researchers and promised to hack into the infrastructure of original ransomware gangs to delete stolen data for a fee.

Arctic Wolf Labs report that victim organizations were contacted via Tox Messaging after suffering security breaches, in what is currently believed to be further extortion attempts.

According to Cybernews, in two cases the threat actors pretended to try and help victim organizations by offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated data. Arctic Wolf Labs claims that this is the first reported instance of malicious actors impersonating researchers. They further speculate that the extortion attempts were likely perpetrated by the same threat actor.

The first case was identified in October 2023 and targeted victims of the Royal ransomware attacks, who were contacted by an entity called the Ethical Side Group (ESG) claiming that they had gained access to the victim’s stolen data. They then offered to hack Royal ransomware and delete the previously stolen data for a fee – despite claims that Royal ransomware had previously deleted the data.

Arctic Wolf Labs notes that in their initial communications, ESG had falsely attributed the original compromise to the TommyLeaks ransomware group instead of Royal ransomware.

The second instance was similarly patterned, in which a separate entity called xanonymoux contacted a victim of the Akira ransomware encryption attack, claiming they had access to a separate server that hosted the victim’s exfiltrated data and could delete the victim’s data or give the victim access to their server. This was despite the fact that Akira claimed to have only encrypted systems and did not claim to have exfiltrated the victim’s data.

These two cases share many similarities, which include: communication via Tox, posing as a security researcher, claiming access to server infrastructure, offering to prove access to stolen data, specifying the amount of stolen data, and demanding a small fee of five Bitcoins.

It is still not known whether the exaction was conducted by the original ransomware groups.