{
	"id": "2e45eb55-cf65-4daf-8267-ee5e10ca065d",
	"created_at": "2026-04-06T00:09:08.015379Z",
	"updated_at": "2026-04-10T13:11:33.611819Z",
	"deleted_at": null,
	"sha1_hash": "f1b79ba75f285eebd96e6f5a1612fa5308007319",
	"title": "Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67664,
	"plain_text": "Follow-On Extortion Campaign Targeting Victims of Akira and\r\nRoyal Ransomware\r\nBy Stefan Hostetler, Steven Campbell\r\nPublished: 2024-01-04 · Archived: 2026-04-05 22:32:01 UTC\r\nKey Takeaways\r\nArctic Wolf Labs has investigated several cases of Royal and Akira ransomware victims being targeted in\r\nfollow-on extortion attacks starting in October 2023.\r\nIt is not clear whether these follow-on extortion attempts were officially sanctioned by the groups\r\nresponsible for the original ransomware attacks, given the low payment demands, in addition to other\r\nunique campaign elements.\r\nBased on our analysis of common elements between these cases, Arctic Wolf Labs assesses with moderate\r\nconfidence that a common threat actor was responsible for these follow-on extortion attempts.\r\nSummary\r\nArctic Wolf Labs is aware of several instances of ransomware cases where the victim organizations were\r\ncontacted after the original compromise for additional extortion attempts. In two cases investigated by Arctic Wolf\r\nLabs, threat actors spun a narrative of trying to help victim organizations, offering to hack into the server\r\ninfrastructure of the original ransomware groups involved to delete exfiltrated data.\r\nAs far as Arctic Wolf Labs is aware, this is the first published instance of a threat actor posing as a legitimate\r\nsecurity researcher offering to delete hacked data from a separate ransomware group. While the personalities\r\ninvolved in these secondary extortion attempts were presented as separate entities, we assess with moderate\r\nconfidence that the extortion attempts were likely perpetrated by the same threat actor.\r\nWhat We Know\r\nCase 1: Royal Ransomware Compromise and Ethical Side Group Data Deletion Extortion\r\nIn early October 2023, an entity describing themselves as Ethical Side Group (ESG) contacted a Royal\r\nransomware victim by email and claimed to have obtained access to victim data originally exfiltrated by Royal.\r\nNotably, in prior negotiations in 2022, Royal claimed to have deleted the data.\r\nInterestingly, in their initial communications, ESG had falsely attributed the original compromise to the\r\nTommyLeaks ransomware group instead of Royal ransomware.\r\nESG ultimately offered to hack into Royal ransomware’s server infrastructure and permanently delete the targeted\r\norganization’s data for a fee.\r\nhttps://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/\r\nPage 1 of 4\n\nCase 2: Akira Ransomware Compromise and xanonymoux Data Deletion Extortion\r\nIn early November 2023, an entity describing themselves as xanonymoux contacted an Akira ransomware\r\nencryption victim and claimed to have obtained access to a server hosting victim data exfiltrated by Akira.\r\nNotably, when Akira was contacted a few weeks before xanonymoux’s email, the group claimed not to have\r\nexfiltrated any data and that they had only encrypted systems.\r\nxanonymoux claimed to have compromised Akira’s server infrastructure. The threat actor offered to aide in either\r\ndeleting the victim’s data or providing them with access to their server. Additionally, xanonymoux claimed that\r\nAkira was associated with Karakurt, a criminal group known for data exfiltration and extortion.\r\nCase Comparison and Analysis\r\nAs described in these cases, similar elements were observed between both campaigns, despite presenting as\r\nseparate entities and relating to different named ransomware groups. Stylistic analysis of the communications\r\nbetween both organizations identified clear similarities between the two cases.\r\nCommon Threat Actor Behaviors Between Follow-On Extortion Cases\r\nPresented as a security researcher\r\nClaimed to access server infrastructure hosting data from past compromise\r\nCommunicated via Tox\r\nOffered to provide proof of access to exfiltrated data\r\nInsinuated risk of future attacks if security issues are not addressed\r\nSpecified amount of data previously exfiltrated\r\nMinimal payment demand (\u003c= 5BTC)\r\n10 overlapping phrases used in initial email\r\nUse of file.io to provide evidence of access to victim data\r\nThe elements of the campaigns described here are unique in their low ransom demands, posing as a legitimate\r\nsecurity researcher as a pretext, and offers to delete data to avoid potential future attacks. However, follow-on\r\nextortion as a concept is not new to attacks associated with Conti and Karakurt. In 2021, we published research\r\nrevealing Karakurt re-extortion attempts for victims that had previously been targeted in ransomware attacks by\r\nConti. Additionally, our past research has also identified connections between Conti and Akira. Royal emerged on\r\nthe ransomware scene in 2022, and connections have been noted by other researchers, such as Will Bushido,\r\nbetween Royal and Conti.\r\nConclusion\r\nhttps://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/\r\nPage 2 of 4\n\nIt is challenging to make sense of the tangled web of connections woven by ransomware groups, given that\r\nransomware-as-a-service (RaaS) affiliates tend to operate multiple encryption payloads over time, sometimes even\r\ndeploying several at once. The best we can do as researchers is to piece together parts of the bigger picture by\r\nlooking for common denominators between attacks.\r\nBased on the common elements identified between the cases documented here, we conclude with moderate\r\nconfidence that a common threat actor has attempted to extort organizations who were previously victims of Royal\r\nand Akira ransomware attacks with follow-on efforts. However, it is still unclear whether the follow-on extortion\r\ncases were sanctioned by the initial ransomware groups, or whether the threat actor acted alone to garner\r\nadditional funds from the victim organizations.\r\nThis research highlights the risks of relying on criminal extortion enterprises to delete exfiltrated data, even after\r\npayment.\r\nIf your organization has a presence in the U.S., and you’ve been affected by any of these types of attacks, please\r\ncontact your nearest FBI field office.\r\nReferences\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nhttps://blog.bushidotoken.net/2022/11/the-continuity-of-conti.html\r\nhttps://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nBy Stefan Hostetler, Steven Campbell\r\nStefan Hostetler | Senior Threat Intelligence Researcher\r\nStefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under\r\nhis belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves\r\neffectively.\r\nSteven Campbell | Senior Threat Intelligence Researcher\r\nSteven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of\r\nexperience in intelligence analysis and security research. He has a strong background in infrastructure analysis and\r\nadversary tradecraft.\r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who\r\nexplore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and\r\nrefine advanced threat detection models with artificial intelligence, including machine learning, and drive\r\ncontinuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their\r\nhttps://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/\r\nPage 3 of 4\n\ndeep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s\r\ncustomer base, but the security community at large.\r\nLearn what’s new, what’s changed, and what’s ahead for the cybersecurity threat landscape with the Arctic Wolf\r\nLabs 2024 Predictions Report.\r\nSource: https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/\r\nhttps://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/"
	],
	"report_names": [
		"follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware"
	],
	"threat_actors": [
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434148,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1b79ba75f285eebd96e6f5a1612fa5308007319.pdf",
		"text": "https://archive.orkl.eu/f1b79ba75f285eebd96e6f5a1612fa5308007319.txt",
		"img": "https://archive.orkl.eu/f1b79ba75f285eebd96e6f5a1612fa5308007319.jpg"
	}
}