Ransomware victims are targeted by fake hack-back offers, how to deal with it?

Written by

Several organizations affected by the Royal and Akira ransomware groups have fallen prey to a new threat, where an imposter posing as a security researcher has targeted victims. The Royal and Akira ransomware gangs employ the double extortion tactic, which involves encrypting victim systems and threatening to leak stolen information unless a ransom is paid.

According to cybersecurity firm Arctic Wolf, it has investigated multiple instances where victims who had already paid a ransom to the two ransomware groups were approached by an individual claiming to be an ethical hacker or security researcher. This imposter, promising to hack back the original attacker and delete the stolen victim data, requested a fee of up to five Bitcoins, equivalent to around $190,000 at the time.

Arctic Wolf’s report details two cases from October and November 2023, involving organizations previously compromised by Royal and Akira ransomware. In the first case, the scammer posed as the ‘Ethical Side Group’ (ESG) and initially misattributed the attack to the ‘TommyLeaks’ gang before shifting the narrative to claim access to Royal’s server. Notably, this victim had engaged in negotiations with the ransomware actor a year earlier in 2022.

In the second incident, the imposter, using the alias ‘xanonymoux,’ offered to delete files on Akira’s servers or provide access to the actor’s server. However, Akira had communicated weeks before, asserting that they did not exfiltrate any data, and their attack merely encrypted the compromised systems.

Scammer’s tactics (Arctic Wolf)

Arctic Wolf highlights that both communication attempts shared ten common phrases over an instant messaging program, suggesting the involvement of the same individual in both cases. These fraudulent schemes underscore an additional layer of complexity in ransomware attacks, compounding the challenges faced by victims and adding to the financial burden endured beyond the immediate crisis of encrypted and stolen data.

What are some common types of ransomware attacks

The common types of ransomware attacks include:

  1. Crypto Ransomware: This type encrypts the victim’s data and demands a ransom for the decryption key. It is one of the most well-known and damaging variants.
  2. Locker Ransomware: These types of ransomware lock users out of their systems, often displaying a ransom message and preventing access to the data until the ransom is paid.
  3. Doxware or Leakware: This variant threatens to distribute sensitive personal or company information online unless a ransom is paid.
  4. Ransomware as a Service (RaaS): RaaS refers to malware hosted by a “professional” hacker who handles everything from distributing the ransomware to collecting payments and restoring access, in return for a cut of the profits.
  5. Exfiltration (Leakware): This type involves stealing sensitive data and threatening to make it public unless a ransom is paid.

These types of ransomware attacks can be initiated through various methods such as phishing emails, social engineering, exploiting software vulnerabilities, and abuse of trust. Understanding these types of attacks and the methods used to initiate them is crucial for organizations to prepare and protect against ransomware threats.

What are some common tactics used by ransomware attackers

Ransomware attackers use various tactics to target victims and gain access to their systems. Some common tactics include:

  1. Phishing emails: Phishing is a popular method used by hackers to spread ransomware. They send malicious emails containing links or attachments that lead to the installation of ransomware on the victim’s system.
  2. Exploitable software vulnerabilities: Attackers exploit vulnerabilities in software applications to gain unauthorized access to systems and install ransomware.
  3. Brute-force credential attacks: Cybercriminals use automated tools and techniques to guess or crack passwords, allowing them to gain access to systems and install ransomware.
  4. Social engineering: Attackers use social engineering techniques to manipulate victims into providing personal information or clicking on malicious links.
  5. Previously compromised credentials: Cybercriminals may gain access to compromised credentials from previous breaches and use them to infiltrate systems and install ransomware.
  6. Abuse of trust: Attackers exploit the trust relationship between users and their organizations, such as in the case of an employee wronged by their employer, to gain access to systems and install ransomware.
  7. Fileless attacks: Ransomware attackers use fileless techniques, such as PowerShell or WMI scripts, to perform tasks without requiring a malicious file to be run on the target system.
  8. Remote Desk Protocol: Attackers use the Remote Desk Protocol to gain unauthorized access to systems and install ransomware.
  9. Malware-as-a-Service (MaaS): Cybercriminals use MaaS to rent or purchase malware capabilities and launch attacks on behalf of their clients.
  10. Drive-by downloads: Attackers use drive-by downloads to automatically download and install ransomware on a victim’s system when they visit a compromised website.

To protect against these tactics, organizations should implement security best practices such as regular software updates, strong password management, employee training, and robust incident response plans.

How can businesses train employees to avoid phishing emails

Businesses can train employees to avoid phishing emails through a variety of methods and best practices. Some of the common approaches include:

  1. Security Awareness Training: Conduct regular security awareness training sessions to educate employees about the various forms of phishing attacks and how to identify them. This training should cover topics such as recognizing suspicious emails, understanding the consequences of falling for phishing scams, and reporting potential phishing attempts.
  2. Identify Available Training Resources: Businesses should identify and utilize available training resources to educate employees on how to spot phishing. These resources can be obtained from IT providers, professional/industry organizations, or non-profits, and may include ready-to-use training materials.
  3. Phishing Awareness Programs: Implement phishing awareness programs that simulate real-world phishing attacks to help employees recognize and respond to phishing attempts. These programs can provide immediate feedback and additional training to employees who fall for the simulated attacks.
  4. Role-Based Training: Provide tailored and role-based training sessions to address the specific phishing threats that employees in different roles may encounter. This approach can help employees understand how cybercriminals target individuals in their specific roles and how to defend against such attacks.
  5. Use of Interactive Content: Utilize interactive content in training, including email phishing simulations, to engage employees and provide them with a hands-on experience in identifying and responding to phishing attempts.
  6. Encourage Vigilance and Suspicion: Encourage employees to be vigilant and suspicious of unsolicited emails, especially those that request sensitive information or urge immediate action. Employees should be trained to verify the authenticity of such emails before taking any action.

By implementing these training methods, businesses can significantly reduce the risk of employees falling victim to phishing attacks and enhance the overall cybersecurity posture of the organization.

What are some signs that a computer or network has been infected with ransomware

Some signs that a computer or network has been infected with ransomware include:

  1. Suspicious Emails: Phishing emails are a common way ransomware attacks begin. Hackers send social engineering emails appearing to be from legitimate companies with malicious attachments or links.
  2. Unexpected Network Scanners: Unauthorized network scanning activities may indicate an attempt to identify potential targets for ransomware infection.
  3. Unauthorized Access to Active Directory: Any unauthorized access to the Active Directory, which manages network resources, can be a sign of a ransomware attack.
  4. Abnormal Disk Activity: An abnormal spike in disk activity, especially when the system is parsing every folder for data to encrypt, can be a sign of an automated ransomware attack.
  5. Glitchy System Behavior: Systems that normally behave properly suddenly appearing glitchy or malfunctioning could be a sign of a ransomware attack in progress.
  6. Creation of New Accounts and Unauthorized Software Installations: The creation of new accounts, especially privileged ones, and unauthorized software installations are potential signs of a ransomware attack.
  7. Presence of Hacking Tools: The presence of hacking tools like MimiKatz, Process Explorer, or PC Hunter can be a clear indication of a ransomware attack.
  8. Unpatched Operating Systems: Unpatched operating systems can create vulnerabilities that ransomware attackers may exploit to gain access to a network.

If any of these signs are observed, it’s important to take immediate action, such as disconnecting from networks, reporting the incident, and seeking professional assistance to mitigate the impact of the potential ransomware infection.

What are some consequences of employees falling for phishing scams

Employees falling for phishing scams can lead to several consequences for both the individual and the organization, including:

  1. Financial Losses: Successful phishing attacks can result in significant financial losses for the organization, as ransoms are often demanded in cryptocurrencies or other difficult-to-trace payment methods.
  2. Reputational Damage: A company’s reputation can be severely damaged if it becomes known that the organization was compromised due to employees falling for phishing scams.
  3. Unauthorized Access to Private Information: Phishing attacks can lead to unauthorized access to sensitive data, such as personal information, customer records, or intellectual property.
  4. Legal Action: Companies may take legal action against employees who fall for phishing scams, especially if the employee has access to sensitive information or is involved in financial transactions.
  5. Disciplinary Action: Employees who repeatedly fall for phishing scams may face disciplinary action, such as warnings, fines, or even termination, depending on the organization’s policies and the severity of the breaches.
  6. Decreased Security Awareness: Employees who fall for phishing scams may be perceived as a security risk, which could lead to reduced access to sensitive systems or data, and increased scrutiny from the organization.

To mitigate these risks, organizations should invest in regular security awareness training, simulated phishing attacks, and clear policies and consequences for employees who fall for phishing scams.

What are some best practices for recovering from a ransomware attack

Some best practices for recovering from a ransomware attack include:

  1. Prepare and Prevent: Have immutable backups ready to deploy in case of infection and use third-party tools to prevent ransomware from entering and attacking systems.
  2. Test and Validate Backups: Regularly run validation tests to check for corruption, viruses, or malware. Ensure that backups are functional by mounting them on a virtual machine.
  3. Engage with Cybersecurity Experts: Contact specialist IT support and cybersecurity companies for ransomware emergency support.
  4. Isolate the Infection and Restore: Disconnect all devices to limit the effects of ransomware, then utilize secure backups and reliable software to restore the infected computer or set up a new system from scratch.
  5. Keep Offline Data Backups: Store backups in locations that are air-gapped or inaccessible from the network to prevent the ransomware from accessing them.

By following these best practices, organizations can improve their ability to recover from ransomware attacks and minimize the impact on their operations.

How can prevent ransomware attacks from happening in the future

Ransomware attacks can be prevented by following some best practices. These include backing up data regularly, keeping all systems and software updated, installing antivirus software and firewalls, and providing cybersecurity education to employees. It is also important to identify assets that are searchable via online tools and take steps to reduce that exposure, use caution with email attachments, and implement a comprehensive cybersecurity training program. Additionally, organizations should develop plans and policies, review port settings, and harden infrastructure. It is crucial to maintain backups thoughtfully and train the team to be aware of malicious emails. Finally, it is recommended to implement a zero-trust architecture and pressure-test an incident response plan. By following these practices, individuals and organizations can protect themselves from ransomware attacks.

To prevent ransomware attacks from happening in the future, individuals and organizations can take the following steps:

  1. Data Backup and Recovery: Employ a data backup and recovery plan for all critical information. Keep your operating system and software up to date with the latest patches.
  2. Security Software: Consider deploying security software to protect endpoints, email servers, and network systems from infection.
  3. Least Privilege: Apply the principle of “Least Privilege” to all systems and services to restrict privileges and prevent malware from running or limit its capability to spread.
  4. Offline Data Backups: Keep offline data backups stored in air-gapped locations or on disconnected external storage drives to prevent the ransomware from accessing them.
  5. Keep Systems Updated: Keep all systems and software up to date with the latest security patches and updates to close known vulnerabilities.
  6. Install Security Software: Consider deploying security software to protect endpoints, email servers, and network systems from infection.
  7. Educate Users: Educate users to not click on unsafe links in spam messages or on unknown websites. Avoid enabling macros from email attachments.
  8. Practice Good Cyber Hygiene: Exercise good cyber hygiene, such as using strong passwords, enabling two-factor authentication, and limiting user privileges.
  9. Develop Plans and Policies: Develop and implement plans and policies for responding to ransomware attacks.

By implementing these measures, individuals and organizations can reduce the risk of falling victim to ransomware attacks and minimize the impact of such attacks on their systems and data.

Sources:
https://www.rubrik.com/insights/how-to-recover-from-ransomware
https://www.veeam.com/blog/ransomware-recovery-what-you-need-to-know.html
https://www.sciencedirect.com/science/article/pii/S1361372319300284
https://www.reddit.com/r/sysadmin/comments/11srgt4/best_practices_for_recovery_from_sleeper/?rdt=38950
https://www.backblaze.com/blog/complete-guide-ransomware/
https://www.splashtop.com/blog/10-tips-employees-prevent-phishing
https://trustifi.com/blog/why-do-employees-continue-to-fall-for-phishing-attacks/
https://www.blumira.com/ransomware-warning-signs/
https://www.itprotoday.com/vulnerabilities-and-threats/how-spot-warning-signs-ransomware-attacks
https://security.berkeley.edu/faq/ransomware/
https://www.alanet.org/legal-management/2021/november-december/table-of-contents/how-to-spot-the-early-signs-of-a-ransomware-attack-and-take-action
https://www.lepide.com/blog/early-warning-signs-of-a-ransomware-attack/
https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users
https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing
https://www.vadesecure.com/en/blog/phishing-awareness-training-8-things-employees-understand
https://www.titanhq.com/safetitan/employee-phishing-training/
https://www.mimecast.com/blog/ransomware-tactics-evolve/
https://www.paloaltonetworks.com/cyberpedia/ransomware-common-attack-methods
https://www.crowdstrike.com/cybersecurity-101/ransomware/how-ransomware-spreads/
https://www.picussecurity.com/resource/blog/top-5-ransomware-attack-techniques
https://www.crowdstrike.com/cybersecurity-101/ransomware/types-of-ransomware/
https://www.forenova.com/ransomware/types-of-ransomware
https://bluexp.netapp.com/blog/rps-blg-5-common-types-of-ransomware-attack-top-security-tips-for-it-teams
https://www.techtarget.com/searchsecurity/feature/4-types-of-ransomware-and-a-timeline-of-attack-examples
https://www.bleepingcomputer.com/news/security/ransomware-victims-targeted-by-fake-hack-back-offers/
https://twitter.com/BleepinComputer/status/1744828699193528613
https://www.bleepingcomputer.com/news/security/paraguay-warns-of-black-hunt-ransomware-attacks-after-tigo-business-breach/
https://www.justice.gov/usao-sdfl/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant