Cyber Predators Strike Twice: Fake Security Gurus Extort Ransomware Victims for Bitcoin Bounty

Victims of cyber heists, beware! After the Royal and Akira ransomware gangs do their dirty work, a faux ‘security researcher’ might slide into your DMs. Offering a deletion deal for your snatched data—for a mere 5 Bitcoin ransom—turns out, it’s just another shakedown in cybersecurity’s wild west.

Hot Take:

Just when you thought getting hit by ransomware was the worst part of your week, along comes a “helpful” cyber Robin Hood wannabe with a side of extortion scam. Because why get fleeced once when you can get fleeced twice, right? Victims now get the pleasure of a double-dip into their Bitcoin wallets by a fake security researcher who’s less white hat and more wolf in geek’s clothing.

Key Points:

  • Victims of Royal and Akira ransomware gangs are being re-extorted by a faux security researcher.
  • The scammer offered to delete stolen data for a hefty fee of around 5 Bitcoin ($225,823).
  • Despite different aliases, the scammer’s communication patterns suggest it’s the same party pulling these stunts.
  • Re-extortion isn’t new, but usually, it’s the original ransomware perps doubling down, not a third-party party crasher.
  • Neither of the two known cases resulted in a payout, but the audacity of the scheme is as clear as the blockchain.

Need to know more?

Double Trouble for Ransomware Victims

In a cyber world twist on a classic con, ransomware victims are being approached by a digital Good Samaritan. Except, instead of offering help, they're slinging a follow-up scam. Imagine getting mugged, then the bystander offering to chase the thief for a fee that's higher than what was stolen. That's the level of audacity we're dealing with here.

A Wolf in Researcher's Clothing

These victims are being cold-called on the cyber streets by someone claiming to be a security researcher. But instead of a rescue rope, they're thrown a snake – the kind that wants about 5 Bitcoin to not bite. This "researcher" seems to know a lot about the victims' data predicaments, suggesting they've either got a crystal ball or an inside scoop on the ransomware gangs' operations.

Deja Vu or Deja Screw?

Re-extortion isn't the industry's latest fad; it's an old trick with a new twist. Previously, victims would be haunted by the same bogeymen, the ransomware gangs themselves. But now, there's a new player in town, and they're not part of the original cast. It's like if the Ghostbusters showed up, but instead of zapping specters, they sold you ghost insurance.

No Honor Among Thieves

The cybersecurity soap opera's latest plot twist sees victims of the Royal and Akira ransomware groups getting a second shakedown by an unknown third party. This mysterious miscreant, sporting different online disguises, is shaking the same money tree that's already been picked. The plot thickens as Arctic Wolf Labs' cyber-sleuths uncover that the attacks are likely from the same keyboard bandit.

The Plot Doesn't Pay

Fortunately, this story doesn't end with our villain sailing into the sunset on a yacht bought with ill-gotten Bitcoins. Neither of the known marks fell for the ruse, keeping their digital wallets firmly in their digital pockets. It's a small victory for the good guys, but the fact that this scammer is out there turning victims into victims² means the cybersecurity world's game of whack-a-mole plays on.

The Mystery of the Lone Extortionist

The cyber streets are abuzz with the theory that this lone wolf extortionist might have broken away from the pack. The low ransom demands suggest a desperate attempt to score some quick crypto cash. Whether this is an entrepreneurial spirit gone rogue or a new business model for cybercriminals remains to be seen.

What's in a Name?

Our antagonist's choice of aliases – Ethical Side Group and xanonymoux – sound more like rejected superhero names than feared cyber entities. With no prior notoriety in the cybercrime hall of fame, these monikers are likely disposable, like the email addresses you create just to get that free trial. The question remains: Will their next alias be "TotallyNotAScammerPromise"?

The Cybercrime Scene Tape is Still Up

While the cyber detectives at Arctic Wolf Labs are still piecing together this digital jigsaw, the bigger picture is slowly emerging. The ransomware gangs' involvement in green-lighting these side hustles is unclear

Tags: Cybercrime Tactics, Data Exfiltration, digital forensics**, Ransomware Extortion, Ransomware Gangs, SMB Cyber Threats, threat intelligence