A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools.
Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator.
In a statement posted to its Tor-hosted blog, Grief Corp said: "We wanna play a game. If we see professional negotiator from Recovery Company™ – we will just destroy the data. Recovery Company™ as we mentioned [earlier] will get paid either way."
The news comes after a rival ransomware gang calling itself RagnarLocker said it would do something similar, prompting a spot of bandwagon-jumping among the criminal fraternity.
As Reg readers know only too well, ransomware is an extortion operation. After deploying a software payload on to a target's network to scramble all of its files, the criminals behind the ransomware demand a sizeable payment in cryptocurrency to provide a decryption utility – and to prevent sensitive corporate and/or personal data from being dumped online.
Threat analyst Brett Callow of infosec firm Emsisoft, who was quoted by RagnarLocker in its blog post demanding companies stop hiring ransomware negotiation experts, told The Register: "The fact that gangs don't want their victims to involve... [or] enlist help from negotiators or law enforcement is a solid indicator that that's exactly what they should do. Calling in [reputable help] helps organizations recover from incidents for the least amount of money."
There was something else worth knowing about Grief Corp, added Callow: The crew is under US financial sanctions, having previously rebranded itself from its US Office of Foreign Assets Control-recognised name of DoppelPaymer. Sanctions were imposed on DoppelPaymer's parent firm, Evil Corp, back in December 2019. American-linked businesses, therefore, cannot buy off these crooks without exposing themselves to further risks from regulators.
- Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage
- Biz tells ransomware victims it can decrypt their files... by secretly paying off the crooks and banking a fat margin
- EU slaps extra sanctions on Russian spy chief and APT28 malware dev over 2015 Bundestag hack
- Ransomware-hit law firm gets court order asking crooks not to publish the data they stole
Callow continued: "Grief has an added incentive to keep negotiators at bay. It's one of Evil Corp's many brands and Evil Corp is subject to OFAC sanctions. Negotiators know this and will advise organizations accordingly."
Earlier this month, ransomware negotiator Nick Shah gave an interview to El Reg in which he suggested that most ransomware gangs' negotiating skills were quite weak. Negotiations are usually carried out through what Shah called "the help desk from hell" – that is, their equivalent of first-line customer support (many of the ransomware gangs currently attacking orgs are based in ex-Soviet countries whose governments turn a blind eye to their activities).
Current UK government advice wavers between never paying off ransomware criminals and refusing to condemn cyber insurance companies whose policies will buy off criminal gangs. Paying off ransomware crooks merely fuels their twisted trade and spurs them on to do it again. Not paying helps kill their business model.
The EU (and UK by extension) has historically somewhat lacked in terms of financial sanctions on identified ransomware criminals, when compared with the US, though the bloc did begin crackdowns last year.
Although a post-Brexit UK could impose its own sanctions, so far its moves have largely mirrored Five Eyes (and EU) action on Russian cyber spies. ®