Ransomware victims are being targeted by scammers looking to cheat them out of even more of their hard-earned money, new research shows.
A report from Arctic Wolf, which observed at least two such incidents where an individual claiming to be an ethical hacker contacted ransomware victims and offered to break into the ransomware operators’ infrastructure and permanently restore the stolen databases to delete.
In one such case, the hacker asked for approximately $190,000 worth of cryptocurrency (up to five bitcoin). Although the victims were contacted by people using different aliases, investigators believe both attempts were the same person.
Too many coincidences
In one case, the company fell prey to Royal ransomware, while in the other, Akira. Initially, the fraudster presented itself as “Ethical Side Group” and offered to return the data of the “TommyLeaks” gang, instead of the actual hackers – Royal. Furthermore, the fraudster did not seem to know that negotiations between the victim and Royal had already been completed in 2022.
In the second incident, a fraudster using an alias “xanonymoux” contacted a victim company and offered to delete the data from Akira’s servers, when in reality Akira had never stolen the data, but only on Akira’s endpoints the victim had coded.
Finally, Arctic Wolf noticed that ten common expressions were used in both cases during the initial communication. Both scammers used the same method to prove they had access to the stolen data. All this led them to believe that this was in fact the same person.
When a ransomware operator targets a network, they usually not only encrypt the data, but steal it and threaten to release it to the dark web unless a payment is made. In fact, the data theft part is arguably more disruptive than the encryption part, as companies have become better at restoring their systems from backups. However, a data breach can cause irreparable damage.