FollowOn Extortion Campaign Targeting Victims of Akira and Royal Ransomware Arctic Wolf
pThe cybersecurity industry has an effectiveness problem Despite new technologies emerging every year highprofile breaches continue to occur To prevent these attacks the industry needs to adopt a new approach by focusing on security operations Thats where Arctic Wolf can help
ppBuilt on an open XDR architecture the Arctic Wolf Platform combines with our Concierge Delivery Model to work as an extension of your team proactively protect your environment and strengthen your security posture
pp
Security Expertise Delivered
pp
Our Arctic Wolf Security Teams ensure we have a complete understanding of your unique IT environment right from the start
ppLearn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry
ppWe envision a future without cyber risk Every organization should be so effective at security operations that both the likelihood and impact of a cyber attack is minimized to the point where risk is essentially zero
ppArctic Wolf Labs is aware of several instances of ransomware cases where the victim organizations were contacted after the original compromise for additional extortion attempts In two cases investigated by Arctic Wolf Labs threat actors spun a narrative of trying to help victim organizations offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated datappAs far as Arctic Wolf Labs is aware this is the first published instance of a threat actor posing as a legitimate security researcher offering to delete hacked data from a separate ransomware group While the personalities involved in these secondary extortion attempts were presented as separate entities we assess with moderate confidence that the extortion attempts were likely perpetrated by the same threat actorppIn early October 2023 an entity describing themselves as Ethical Side Group ESG contacted a Royal ransomware victim by email and claimed to have obtained access to victim data originally exfiltrated by Royal Notably in prior negotiations in 2022 Royal claimed to have deleted the datappInterestingly in their initial communications ESG had falsely attributed the original compromise to the TommyLeaks ransomware group instead of Royal ransomwareppESG ultimately offered to hack into Royal ransomwares server infrastructure and permanently delete the targeted organizations data for a feeppIn early November 2023 an entity describing themselves as xanonymoux contacted an Akira ransomware encryption victim and claimed to have obtained access to a server hosting victim data exfiltrated by Akira Notably when Akira was contacted a few weeks before xanonymouxs email the group claimed not to have exfiltrated any data and that they had only encrypted systemsppxanonymoux claimed to have compromised Akiras server infrastructure The threat actor offered to aide in either deleting the victims data or providing them with access to their server Additionally xanonymoux claimed that Akira was associated with Karakurt a criminal group known for data exfiltration and extortionppAs described in these cases similar elements were observed between both campaigns despite presenting as separate entities and relating to different named ransomware groups Stylistic analysis of the communications between both organizations identified clear similarities between the two casespp ppThe elements of the campaigns described here are unique in their low ransom demands posing as a legitimate security researcher as a pretext and offers to delete data to avoid potential future attacks However followon extortion as a concept is not new to attacks associated with Conti and Karakurt In 2021 we published research revealing Karakurt reextortion attempts for victims that had previously been targeted in ransomware attacks by Conti Additionally our past research has also identified connections between Conti and Akira Royal emerged on the ransomware scene in 2022 and connections have been noted by other researchers such as Will Bushido between Royal and ContippIt is challenging to make sense of the tangled web of connections woven by ransomware groups given that ransomwareasaservice RaaS affiliates tend to operate multiple encryption payloads over time sometimes even deploying several at once The best we can do as researchers is to piece together parts of the bigger picture by looking for common denominators between attacksppBased on the common elements identified between the cases documented here we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with followon efforts However it is still unclear whether the followon extortion cases were sanctioned by the initial ransomware groups or whether the threat actor acted alone to garner additional funds from the victim organizationsppThis research highlights the risks of relying on criminal extortion enterprises to delete exfiltrated data even after paymentppIf your organization has a presence in the US and youve been affected by any of these types of attacks please contact your nearest FBI field officepp ppStefan is a Senior Threat Intelligence Researcher at Arctic Wolf With over a decade of industry experience under his belt he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectivelyppSteven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research He has a strong background in infrastructure analysis and adversary tradecraftpp ppArctic Wolf Labs is a group of elite security researchers data scientists and security development engineers who explore security topics to deliver cuttingedge threat research on new and emerging adversaries develop and refine advanced threat detection models with artificial intelligence including machine learning and drive continuous improvement in the speed scale and detection efficacy of Arctic Wolfs solution offerings With their deep domain knowledge Arctic Wolf Labs brings worldclass security innovations to not only Arctic Wolfs customer base but the security community at largeppLearn whats new whats changed and whats ahead for the cybersecurity threat landscape with the Arctic Wolf Labs 2024 Predictions ReportppppGLOBAL HEADQUARTERSppppSolutionsppCompanyppPartnersppResourcesp
ppBuilt on an open XDR architecture the Arctic Wolf Platform combines with our Concierge Delivery Model to work as an extension of your team proactively protect your environment and strengthen your security posture
pp
Security Expertise Delivered
pp
Our Arctic Wolf Security Teams ensure we have a complete understanding of your unique IT environment right from the start
ppLearn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry
ppWe envision a future without cyber risk Every organization should be so effective at security operations that both the likelihood and impact of a cyber attack is minimized to the point where risk is essentially zero
ppArctic Wolf Labs is aware of several instances of ransomware cases where the victim organizations were contacted after the original compromise for additional extortion attempts In two cases investigated by Arctic Wolf Labs threat actors spun a narrative of trying to help victim organizations offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated datappAs far as Arctic Wolf Labs is aware this is the first published instance of a threat actor posing as a legitimate security researcher offering to delete hacked data from a separate ransomware group While the personalities involved in these secondary extortion attempts were presented as separate entities we assess with moderate confidence that the extortion attempts were likely perpetrated by the same threat actorppIn early October 2023 an entity describing themselves as Ethical Side Group ESG contacted a Royal ransomware victim by email and claimed to have obtained access to victim data originally exfiltrated by Royal Notably in prior negotiations in 2022 Royal claimed to have deleted the datappInterestingly in their initial communications ESG had falsely attributed the original compromise to the TommyLeaks ransomware group instead of Royal ransomwareppESG ultimately offered to hack into Royal ransomwares server infrastructure and permanently delete the targeted organizations data for a feeppIn early November 2023 an entity describing themselves as xanonymoux contacted an Akira ransomware encryption victim and claimed to have obtained access to a server hosting victim data exfiltrated by Akira Notably when Akira was contacted a few weeks before xanonymouxs email the group claimed not to have exfiltrated any data and that they had only encrypted systemsppxanonymoux claimed to have compromised Akiras server infrastructure The threat actor offered to aide in either deleting the victims data or providing them with access to their server Additionally xanonymoux claimed that Akira was associated with Karakurt a criminal group known for data exfiltration and extortionppAs described in these cases similar elements were observed between both campaigns despite presenting as separate entities and relating to different named ransomware groups Stylistic analysis of the communications between both organizations identified clear similarities between the two casespp ppThe elements of the campaigns described here are unique in their low ransom demands posing as a legitimate security researcher as a pretext and offers to delete data to avoid potential future attacks However followon extortion as a concept is not new to attacks associated with Conti and Karakurt In 2021 we published research revealing Karakurt reextortion attempts for victims that had previously been targeted in ransomware attacks by Conti Additionally our past research has also identified connections between Conti and Akira Royal emerged on the ransomware scene in 2022 and connections have been noted by other researchers such as Will Bushido between Royal and ContippIt is challenging to make sense of the tangled web of connections woven by ransomware groups given that ransomwareasaservice RaaS affiliates tend to operate multiple encryption payloads over time sometimes even deploying several at once The best we can do as researchers is to piece together parts of the bigger picture by looking for common denominators between attacksppBased on the common elements identified between the cases documented here we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with followon efforts However it is still unclear whether the followon extortion cases were sanctioned by the initial ransomware groups or whether the threat actor acted alone to garner additional funds from the victim organizationsppThis research highlights the risks of relying on criminal extortion enterprises to delete exfiltrated data even after paymentppIf your organization has a presence in the US and youve been affected by any of these types of attacks please contact your nearest FBI field officepp ppStefan is a Senior Threat Intelligence Researcher at Arctic Wolf With over a decade of industry experience under his belt he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectivelyppSteven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research He has a strong background in infrastructure analysis and adversary tradecraftpp ppArctic Wolf Labs is a group of elite security researchers data scientists and security development engineers who explore security topics to deliver cuttingedge threat research on new and emerging adversaries develop and refine advanced threat detection models with artificial intelligence including machine learning and drive continuous improvement in the speed scale and detection efficacy of Arctic Wolfs solution offerings With their deep domain knowledge Arctic Wolf Labs brings worldclass security innovations to not only Arctic Wolfs customer base but the security community at largeppLearn whats new whats changed and whats ahead for the cybersecurity threat landscape with the Arctic Wolf Labs 2024 Predictions ReportppppGLOBAL HEADQUARTERSppppSolutionsppCompanyppPartnersppResourcesp
