Recently, there has been an emergence of a new scam targeting victims of ransomware attacks. This scam involves individuals or groups posing as “security researchers” or “ethical hackers,” offering to delete data stolen by ransomware attackers for a fee. The scam plays on the fears and vulnerabilities of organizations already compromised by ransomware attacks, such as those by the Royal and Akira ransomware gangs.
The modus operandi of these scammers is quite consistent and alarming. They approach organizations that have already been victimized by ransomware and offer a service to hack into the servers of the ransomware groups and delete the stolen data. This proposition typically comes with a significant fee, sometimes in the range of 1-5 Bitcoins (which could amount to about $190,000 to $220,000).
These scammers often use platforms like Tox Chat to communicate with their targets and may go by names like “Ethical Side Group” or use monikers such as “xanonymoux.” They tend to provide “proof” of access to the stolen data, which they claim is still on the attacker’s servers. In some instances, they accurately report the amount of data exfiltrated, giving their claims an air of credibility.
A notable aspect of this scam is that it adds an additional layer of extortion to the victims of ransomware. Not only do these victims have to contend with the initial ransomware attack and the associated costs, but they are also faced with the prospect of paying yet another party to ensure the safety of their data. This situation highlights the complexities and evolving nature of cyber threats, particularly in the context of ransomware.
Security experts and researchers, like those from Arctic Wolf, have observed and reported on these incidents, noting the similarities in the tactics and communication styles used by the scammers in different cases. However, there remains a great deal of uncertainty regarding the actual ability of these scammers to delete the stolen data, and their true intentions.
The Emerging Scam in Ransomware Attacks
1. The False Promise of Data Deletion
- Ransomware gangs have been known not to always delete stolen data even after receiving payment. Victims are often misled into believing that paying the ransom will result in the deletion of their stolen data. However, there have been numerous instances where this has not been the case, leading to further exploitation.
2. Fake ‘Security Researcher’ Scams
- A new scam involves individuals posing as security researchers, offering services to recover or delete exfiltrated data for a fee. These scammers target ransomware victims, often demanding payment in Bitcoin. This tactic adds another layer of deception and financial loss for the victims.
3. The Hack-Back Offers
- Ransomware victims are now being targeted by fake hack-back offers. These offers promise to delete stolen victim data but are essentially scams designed to extort more money from the victims. This trend highlights the evolving nature of cyber threats and the need for greater awareness.
4. The Illogical Nature of Paying for Data Deletion
- Paying to delete stolen data is considered an illogical and ineffective strategy. Once data is stolen, there is no guarantee that the cybercriminals will honor their word. The article argues that paying the ransom often leads to more harm than good.
5. The Role of Ransomware Groups
- Some ransomware groups are involved in offering services to delete exfiltrated data for a fee. However, these offers are often scams, and there is no assurance that the data will be deleted after payment.
These scams underscores the critical importance of cybersecurity vigilance and the need for robust security measures to protect against ransomware and related cyber threats. It also highlights the challenging decision-making process for organizations that fall victim to ransomware: whether to pay the ransom, how to handle stolen data, and how to respond to subsequent extortion attempts.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.