As we regularly observe in this blog, ransomware is devious and endlessly inventive. It’s this ability to find new variations on the same basic extortion template that has made it the most successful commercial form of cybercrime yet invented.
Excepting the occasional technical hack (including a talent for spotting weaknesses everyone else has overlooked), most of this innovation derives from a mixture of new social engineering ruses, clever marketing, and business operations.
In 2023 we saw the emergence of the dual ransomware attacks whereby victims find themselves fighting more than one ransomware attack at the same time. At first, it was assumed this was coincidence, but it is also likely that some of these attacks were engineered that way to increase chaos and confusion.
Since then, reports have emerged of what a different version of the same idea, so-called ‘follow-on’ or “re-extortion” attacks, two examples of which from October and November 2023 were recently documented by security company Arctic Wolf.
In the first, a victim of the Royal ransomware was contacted by a group calling itself the Ethical Side Group (ESG), claiming to have the ability to access data stolen during the original attack. The offer: ESG would hack into Royal’s infrastructure and delete the data in return for a fee.
In the second incident, a group calling itself anonymoux contacted a victim of the Akira ransomware group, making the same rather bold claim: pay us and we’ll make sure your stolen data is wiped.
Arctic Wolf notes a number of odd similarities between the incidents. Both claimed to be legitimate researchers, both offered an identical service, and there were numerous phrases in common between the two in terms of their communication.
The company concludes:
“Based on the common elements identified between the cases documented here, we conclude with moderate confidence that a common threat actor has attempted to extort organizations who were previously victims of Royal and Akira ransomware attacks with follow-on efforts.”
Two points emerge from this, the first of which is that ransomware groups (or an affiliate associated with them) are opportunistically trying to re-extort the same victims, albeit by asking for smaller sums.
Second, even if the offers are unconnected with the group, relying on them to make good their promise to delete data is a fool’s game, assuming such a thing is even possible once data has been posted to who knows where.
Arctic Wolf doesn’t say whether either of the incidents resulted in payment but let’s be optimistic and assume that the fact they are telling us about it means the victim was suspicious enough not to fall for the ploy.
Ransomware history suggests that re-extortion will probably grow in popularity during 2024 from a very low base. It’s unlikely to become a major tactic but that doesn’t mean it won’t become yet another possibility defenders must look out for.