Threats

New Ransomware Technique Emerges: Fake Ransomware Support

According to Sophos' State Of Ransomware in 2023, 97% of organizations hit by ransomware were able to regain access to their data. On the surface, this seems like a promising statistic. However, the same report notes that 46% of organizations paid ransom to get it back while recovery using backups dropped slightly from 73% to 70%. The mean recovery cost was USD $2.6 million when the ransom was paid compared to a still very high $1.6 million when using backups. While organizations cannot prevent being attacked by ransomware gangs, they can and should do more to prevent a successful ransomware attack. 

For companies with a high degree of risk, Ransomware Penetration Testing offers the highest degree of assurance. However, user awareness training is an accessible security measure that can help prevent ransomware attacks from breaching your perimeter. This is true because ransomware attacks often use phishing to gain initial access to a target's network. A recently reported and novel technique in the ransomware onslaught - the fake ransomware support technique - can also be mitigated with regular user awareness training sessions. 

The predominant technique for cyber extortion is encrypting the victim's data and demanding payment to decrypt it. However, cybercriminals are known to supplement their tactics with double and triple ransomware extortion. The most common secondary tactic is to demand payment to prevent the thief from sharing the stolen data publicly, and the triple extortion tactic is to launch DoS attacks against the victim until they pay even more.

Let's examine this new fake support tactic and uncover some other "fake" ransomware strategies that leverage social engineering to achieve their nefarious goals instead of actually encrypting files:

Fake Ransomware Tech Support Used As Secondary Extortion

Many ransomware attacks may use social engineering to gain initial access to the victim's network, but at the extortion stage, many cyber-gangs are fairly straightforward. Some have even set up their own support centers to help ransom-paying victims regain access to their data. After all, if companies are not able to recover their data, many will not pay ransom. Considering that being a repeat victim isn't unusual, honor among thieves may have its benefits. 

In early 2024, researchers at Arctic Wolf observed a new technique for Ransomware extortion. The ploy involved a fake security researcher who contacted a firm recently after they were infected with ransomware. These fake ransomware support scammers claimed to have the ability to recover or delete data stolen by the ransomware groups and offered their services to the victim in exchange for payment in Bitcoin. The request for Bitcoin should have been clear evidence that something wasn't right. 

Here is how the fake Ransomware support scam attacks progress. The attackers contact organizations via email, claiming to be ethical security researchers or hacking groups with access to the ransomware gang's server infrastructure. In other words, they have hacked the hackers. The attackers falsely assert that they have obtained access to data originally stolen by the ransomware group. They offer to either recover or permanently delete this stolen data on behalf of the victim organization. To provide their supposed assistance, the attackers demand a fee in Bitcoin from the victim organization. The supposed security support entities involved in the scam named "Ethical Side Group (ESG)" and Xanonymoux were later traced back to cybercrime organizations. 

Other "Fake" Ransomware Attacks Observed In the Wild

  • Faking To Have Stolen A Victim's Data: In some cases, cybercriminals demand ransom for not publicly releasing data they haven't even stolen. Known as Phantom Incident Extortion (PIE), threat actors may impersonate known cybercrime gangs, such as Silent Ransom Group (SRG), a subset of the Conti syndicate, or the Surtr ransomware group adding weight to their threats. The threat actors demand a ransom payment from the victim in exchange for not exposing the allegedly stolen data. In these attacks, the demanded ransom is typically far less than the potential damage that could result from public exposure of the data.

  • Demanding Ransom Without Encrypting Files: In this fake ransomware campaign observed by Securi, website owners were presented with a ransom note on their homepage while further inspection revealed that no files were actually encrypted.

  • Fake Ransomware Wiper Malware: All of the examples of fake ransomware above would be preferable to the real thing. Here is one example of fake ransomware that isn't. Fake ransomware CryWiper and NotPetya are two examples of malware designed to destroy data but then post a ransom note trying to extract funds from the victim. Even if the victim pays up, they cannot recover their data. 

  • Fake Ransomware Attack To Hide Financial Fraud: In another less publicized story, an organization conducting financial fraud hit itself with fake ransomware to claim that it lost access to all its financial records.

Conclusion

The landscape of ransomware attacks continues to evolve with cybercriminals adopting new tactics to extort victims. While traditional encryption-based ransomware remains a threat, emerging strategies like fake ransomware support and Phantom Incident Extortion (PIE) are side hustles to keep on your radar. These deceptive approaches prey on organizations' fear and urgency, demanding ransom payments even when data may not be at risk. Prioritizing user awareness training is one measure to keep staff up to date on emerging trends in social engineering-based IT attacks.

Looking to learn more about how to bolster your security posture ahead of the next attempted cyber breach? Contact us or download our Buyer's Guide today.

Featured Posts

See All

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104