Ransomware crims saying 'We'll burn your data if you get a negotiator' can't be legally paid off anyway

Grief Corp are already under US sanctions, says Emsisoft


A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools.

Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator.

In a statement posted to its Tor-hosted blog, Grief Corp said: "We wanna play a game. If we see professional negotiator from Recovery Company™ – we will just destroy the data. Recovery Company™ as we mentioned [earlier] will get paid either way."

The news comes after a rival ransomware gang calling itself RagnarLocker said it would do something similar, prompting a spot of bandwagon-jumping among the criminal fraternity.

As Reg readers know only too well, ransomware is an extortion operation. After deploying a software payload on to a target's network to scramble all of its files, the criminals behind the ransomware demand a sizeable payment in cryptocurrency to provide a decryption utility – and to prevent sensitive corporate and/or personal data from being dumped online.

Threat analyst Brett Callow of infosec firm Emsisoft, who was quoted by RagnarLocker in its blog post demanding companies stop hiring ransomware negotiation experts, told The Register: "The fact that gangs don't want their victims to involve... [or] enlist help from negotiators or law enforcement is a solid indicator that that's exactly what they should do. Calling in [reputable help] helps organizations recover from incidents for the least amount of money."

There was something else worth knowing about Grief Corp, added Callow: The crew is under US financial sanctions, having previously rebranded itself from its US Office of Foreign Assets Control-recognised name of DoppelPaymer. Sanctions were imposed on DoppelPaymer's parent firm, Evil Corp, back in December 2019. American-linked businesses, therefore, cannot buy off these crooks without exposing themselves to further risks from regulators.

Callow continued: "Grief has an added incentive to keep negotiators at bay. It's one of Evil Corp's many brands and Evil Corp is subject to OFAC sanctions. Negotiators know this and will advise organizations accordingly."

Earlier this month, ransomware negotiator Nick Shah gave an interview to El Reg in which he suggested that most ransomware gangs' negotiating skills were quite weak. Negotiations are usually carried out through what Shah called "the help desk from hell" – that is, their equivalent of first-line customer support (many of the ransomware gangs currently attacking orgs are based in ex-Soviet countries whose governments turn a blind eye to their activities).

Current UK government advice wavers between never paying off ransomware criminals and refusing to condemn cyber insurance companies whose policies will buy off criminal gangs. Paying off ransomware crooks merely fuels their twisted trade and spurs them on to do it again. Not paying helps kill their business model.

The EU (and UK by extension) has historically somewhat lacked in terms of financial sanctions on identified ransomware criminals, when compared with the US, though the bloc did begin crackdowns last year.

Although a post-Brexit UK could impose its own sanctions, so far its moves have largely mirrored Five Eyes (and EU) action on Russian cyber spies. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • If you didn't store valuable data, ransomware would become impotent
    Start by pondering if customers could store their own info and provide access

    Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

    Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

    That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

    Continue reading

Biting the hand that feeds IT © 1998–2022