Ransomware gang threatens to remove key when victim contacts negotiator

The Grief ransomware gang (formerly DopplePaymer) warns that victims will not be able to recover encrypted files when they bring in professional negotiators to lower the price of decryption keys.

In a statement on a blog hosted by Tor, the group said they “want to play games” and said that looking at the target companies calling for ransom negotiators would only “destroy data.”

“The Recovery Company ™ strategy is not to pay the requested amount or resolve the case, but to stall,” said the group. Bleeping Computer..

“Therefore, in this case, there is nothing to lose. Just an economy of time for all involved.

“What can I get with this Recovery Companies ™ if it’s unpaid, the data is simply corrupted, and the chances of recovery are zero? I think it’s in the millions of dollars. Clients are free. Bring money. As always.’

Decoding the broken English, this is summarized in the fact that Grief believes that professional negotiators are only used to stall discussions. We prefer to keep the threat of data corruption above the victim’s head to force faster payments.

Grief is the latest ransomware group that warns negotiators.

Last week, the RagnarLocker group warned that it would leak all stolen data from victims contacting law enforcement agencies such as the FBI after a ransomware attack. This threat also applies to victims who contact a data recovery company to attempt decryption and perform a negotiation process.

Since issuing the warning, the gang has claimed to have tracked the threat and released the victim’s stolen data after calling a negotiator.

Ransomware groups do not like the involvement of professional negotiators as they can lead to reduced profits. It also stops over time, allowing victims to perform incident response procedures.

Grief’s warning puts more pressure on the victims, but it also appears to be an attempt to circumvent US sanctions.

The Grief Group is believed to be associated with Evil Corp, a Russian hacking group licensed by the US government. By issuing a warning against the use of the negotiating company, the group wants the victim to be unaware of the risk of sanctions and ultimately pay for the decryption key.

Grief is said to be a rebrand of Doppel Paymer because it uses much of the same code. This group has been very active since mid-May 2021 when Doppel Paymer’s activity began to decline. This was about a week after DarkSide’s ransomware attack on the US colonial pipeline.

Researchers at cloud security firm Zscaler analyzed early Grief (also known as Pay or Grief) samples and found that ransom notes were dropped on the infected system linked to the Doppel Paymer portal.

Both ransomware samples rely on similar code that implements the same cryptographic algorithm, import hash, and entry point offset calculation.

Ransomware gang threatens to remove key when victim contacts negotiator

Source link Ransomware gang threatens to remove key when victim contacts negotiator

Back to top button