Attackers impersonate security researchers in extortion attempts


Arctic Wolf Labs has investigated multiple extortion attempts conducted by threat actors who pose as legitimate security researchers, promising to hack into the infrastructure of original ransomware gangs to delete stolen data for a fee.

Victim organizations were contacted via Tox after suffering security breaches for what is believed to be further extortion attempts.

In two cases, these threat actors spun a narrative of trying to help “victim organizations offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated data,” Arctic Wolf Labs reports.

According to Arctic Wolf Labs, this is the first reported instance of adversaries impersonating researchers.

Despite the difference in personalities between the initial threat actor and the secondary adversary, Arctic Wolf Labs believes that “the extortion attempts were likely perpetrated by the same threat actor.”

First case

The first instance of extortion was identified in October 2023 and targeted victims of the Royal ransomware attacks.

The organizations were contacted by an entity known as the Ethical Side Group (ESG), claiming that they had gained access to the victim's stolen data.

“Interestingly, in their initial communications, ESG had falsely attributed the original compromise to the TommyLeaks ransomware group instead of Royal ransomware,” Arctic Wolf Labs notes.

For a price, ESG offered to hack Royal ransomware and delete the previously stolen data – despite claims that Royal ransomware had deleted the data prior.

Second case

The second instance followed a similar pattern, a separate entity called xanonymoux contacted a victim of the Akira ransomware encryption attack.

xanonymoux claimed access to a separate server that hosted the victim's exfiltrated data, Arctic Wolf Labs writes.

However, the ransomware group Akira claimed to have only encrypted systems and did not claim to have exfiltrated the victim’s data.

The adversary told the victim that they had compromised Akira’s server infrastructure and could delete the victim’s data or give the victim access to their server.

The two cases share similarities that Arctic Wolf Labs observed while conducting its analysis.

  • Communicated via Tox
  • Threat actors posed as a security researcher
  • Claimed access to server infrastructure
  • Offered to prove access to stolen data
  • Implied risk of future attacks if not addressed
  • Specified amount of stolen data
  • Demanded a small fee of five Bitcoin
  • Similar language used within emails to victims
  • Used file.io to provide evidence of stolen victims' data

With moderate confidence, Arctic Wolf Labs concludes that these extortion attempts were conducted by threat actors.

Whether the exaction was conducted by the original ransomware groups is unknown.