“Security researcher” offers to delete data stolen by ransomware attackers
When organizations get hit by ransomware and pay the crooks to decrypt the encrypted data and delete the stolen data, they can never be entirely sure the criminals will do as they promised. And even if an organization gets its data decrypted, they cannot be sure the stolen data has indeed been wiped and won’t subsequently be used or sold.
Someone is trying to take advantage of that fact, by posing as a security researcher and asking victimized organizations whether they would like them to hack into the server infrastructure of the ransomware groups involved to delete the exfiltrated data.
This service comes with a “small” fee, of course.
The offer(s) to delete stolen data
Arctic Wolf security researchers have encountered the offer two times, in two separate cases that happened in October and November 2023, respectively.
In one, it was proffered by an entity calling themselves Ethical Side Group, and in the other by someone that goes by “xanonymoux”. But the researchers believe that these might be one and the same.
Aside from posing as a security researcher and delivering proof of access to exfiltrated data via the same file-sharing service (file.io), in both cases the threat actor:
- Got in touch via Tox Chat
- Insinuated that the company is at risk of future attacks if the stolen data is not deleted
- Specified the amount of data that has been exfiltrated
- Asked for less than 5 Bitcoins (currently around $220,000), and
- Used 10 overlapping phrases in the initial email
“Based on [those] common elements (…) we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with follow-on efforts,” researchers Stefan Hostetler and Steven Campbell noted.
“However, it is still unclear whether the follow-on extortion cases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to garner additional funds from the victim organizations.”
In both instances, Arctic Wolf was working with the victims of the original ransomware attacks in IR-only engagements, a company spokesperson told Help Net Security.
“In both instances, file listings were provided by the threat actor but no file contents were given. The total amount of data exfiltrated was also accurately reported by the threat actor.”
In one instance, the initial ransom had been paid by the victim, and the threat actor referenced the amount that was paid out in their communications, they added.
In both cases, the follow-on extortion attempt was unsuccessful.
UPDATE (January 11, 2024, 04:10 a.m. ET):
Dissent Doe over at DataBreaches.net has laid out her own communication with “xanonymoux”, and believes Arctic Wolf researchers “are correct in thinking their two cases are the same threat actor.”