16 September 2021

Grief ransomware gang threatens to destroy decryption key if victim calls in ransomware negotiator


Grief ransomware gang threatens to destroy decryption key if victim calls in ransomware negotiator

Ransomware groups are regularly adding new tactics to increase pressure on their victims. For example, last week, the Ragnar Locker ransomware gang published an announcement on their darknet leak site warning that they will leak data stolen from victims that contact law enforcement agencies or hire professional ransomware negotiators.

"So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately," the gang wrote.

It appears that the new approach is already being adopted by other ransomware groups. The latest development comes from the Grief (Pay or Grief) ransomware gang believed to be a brand of Evil Corp, a notorious cybercrime group behind the Dridex banking trojan, BitPaymer and WastedLocker ransomware, which the US government sanctioned in December 2019.

On Monday, the group posted a message on their leak site saying that they will delete a victim's decryption key in they hire a negotiation company.

“We wanna play a game. If we see professional negotiator from Recovery Company™ - we will just destroy the data,” the post reads.

“Recovery Company™ as we mentioned above will get paid either way. The strategy of Recovery Company™ is not to pay requested amount or to solve the case but to stall. So we have nothing to loose in this case. Just the time economy for all parties involved.”

According to cybersecurity experts, besides putting additional pressure on victims there may be another reason for such threats. Sanctions imposed on Grief’s ‘parent company’ Evil Corp by the U.S. federal government, prevent ransomware negotiation firms from facilitating ransom payments with Evil Corp.

“Grief has an added incentive to keep negotiators at bay. It's one of Evil Corp's many brands and Evil Corp is subject to OFAC sanctions. Negotiators know this and will advise organizations accordingly,” Brett Callow, a threat analyst at Emsisoft said.


Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021