As we commonly observe on this weblog, ransomware is deceptive and endlessly ingenious. It’s this capacity to search out new variations on the identical primary extortion template that has made it essentially the most profitable business type of cybercrime but invented.
Excepting the occasional technical hack (together with a expertise for recognizing weaknesses everybody else has neglected), most of this innovation derives from a mix of latest social engineering ruses, intelligent advertising and marketing and enterprise operations.
In 2023 we noticed the emergence of the twin ransomware assaults whereby victims discover themselves combating a couple of ransomware assault on the similar time. At first it was assumed this was coincidence, however it is usually doubtless that a few of these assaults had been engineered that option to improve chaos and confusion.
Since then, stories have emerged of what a unique model of the identical thought, so known as ‘follow-on’ or “re-extortion” assaults, two examples of which from October and November 2023 had been not too long ago documented by security firm Arctic Wolf.
Within the first, a sufferer of the Royal ransomware was contacted by a bunch calling itself the Moral Aspect Group (ESG), claiming to have the power to entry knowledge stolen throughout the authentic assault. The supply: ESG would hack into Royal’s infrastructure and delete the information in return for a payment.
Within the second incident, a bunch calling itself anonymoux contacted a sufferer of the Akira ransomware group, making the identical somewhat daring declare: pay us and we’ll make sure that your stolen knowledge is wiped.
Arctic Wolf notes various odd similarities between the incidents. Each claimed to be reliable researchers, each provided an equivalent service, and there have been quite a few phrases in widespread between the 2 by way of their communication.
The corporate concludes:
“Primarily based on the widespread components recognized between the instances documented right here, we conclude with average confidence {that a} widespread menace actor has tried to extort organizations who had been beforehand victims of Royal and Akira ransomware assaults with follow-on efforts.”
Two factors emerge from this, the primary of which is that ransomware teams (or an affiliate related to them) are opportunistically attempting to re-extort the identical victims, albeit by asking for smaller sums.
Second, even when the gives are unconnected with the group, counting on them to make good their promise to delete knowledge is a idiot’s recreation, assuming such a factor is even attainable as soon as knowledge has been posted to who is aware of the place.
Arctic Wolf doesn’t say whether or not both of the incidents resulted in fee however let’s be optimistic and assume that the very fact they’re telling us about it means the sufferer was suspicious sufficient to not fall for the ploy.
Ransomware historical past means that re-extortion will most likely develop in reputation throughout 2024 from a really low base. It’s unlikely to change into a significant tactic however that doesn’t imply it received’t change into one more risk defenders should look out for.
