Akira and Royal Ransomware Victims Targeted by Double Extortion
Victims of the ransomware Royal and Akira fell prey to an imposter posing as a cybersecurity researcher. The malefactor promised to hack into the servers of the original attackers and erase the stolen data.
Royal and Akira are known for their double extortion tactic – they encrypt victims’ systems after stealing confidential information, then threaten to publish sensitive data if a ransom is not paid.
Arctic Wolf investigated two incidents where organizations victimized by Royal and Akira ransomware, having already paid the ransom, received offers from someone claiming to be an ethical hacker. For his services, the criminal demanded a fee of up to 5 bitcoins (approximately $190,000 at that time).
These incidents occurred in October and November of 2023. In the first instance, the criminal acted on behalf of the fictitious Ethical Side Group (ESG), mistakenly attributing the attack to the hacker gang TommyLeaks. He later changed his story, claiming access to the servers of the Royal group. It is noteworthy that the victim had already been in negotiations with the Royal extortionists in 2022.
In the second operation, the criminal used the alias xanonymoux and offered either to delete files from Akira’s servers or to provide access to their archives. However, a few weeks before this, the hackers had stated that they did not steal any data but only encrypted the victim’s systems.
Analysis of the initial messages in the messengers revealed the use of 10 common phrases, as well as identical manipulations and “proof” of data access. This served as the main evidence that both fraud attempts were orchestrated by the same individual.
These cases highlight the additional risks faced by victims of ransomware. Such schemes can further exacerbate their financial burden and prolong the recovery period.
Cybercriminals are quickly adapting and seeking new ways to profit from their illegal activities. Therefore, organizations need to exercise caution and thoroughly vet any unexpected offers of assistance following security incidents. Otherwise, they risk falling for the schemes of fraudsters and losing even more money.