Ransomware groups are regularly adding new tactics to increase pressure on their victims. For example, last week, the Ragnar Locker ransomware gang published an announcement on their darknet leak site warning that they will leak data stolen from victims that contact law enforcement agencies or hire professional ransomware negotiators.
"So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately," the gang wrote.
It appears that the new approach is already being adopted by other ransomware groups. The latest development comes from the Grief (Pay or Grief) ransomware gang believed to be a brand of Evil Corp, a notorious cybercrime group behind the Dridex banking trojan, BitPaymer and WastedLocker ransomware, which the US government sanctioned in December 2019.
On Monday, the group posted a message on their leak site saying that they will delete a victim's decryption key in they hire a negotiation company.
“We wanna play a game. If we see professional negotiator from Recovery Company™ - we will just destroy the data,” the post reads.
“Recovery Company™ as we mentioned above will get paid either way. The strategy of Recovery Company™ is not to pay requested amount or to solve the case but to stall. So we have nothing to loose in this case. Just the time economy for all parties involved.”
According to cybersecurity experts, besides putting additional pressure on victims there may be another reason for such threats. Sanctions imposed on Grief’s ‘parent company’ Evil Corp by the U.S. federal government, prevent ransomware negotiation firms from facilitating ransom payments with Evil Corp.
“Grief has an added incentive to keep negotiators at bay. It's one of Evil Corp's many brands and Evil Corp is subject to OFAC sanctions. Negotiators know this and will advise organizations accordingly,” Brett Callow, a threat analyst at Emsisoft said.