Ransomware gang threatens to delete keys if victims contact negotiators
Grief group's move seems to reflect a growing trend in the cybercrime community
The Grief ransomware gang (formerly DopplePaymer) has warned that victims will be unable to recover their encrypted files if they bring in professional negotiators to drive down the price of decryption keys.
In a statement on its Tor-hosted blog, the group said they 'wanna play a game' and would just 'destroy the data' if they see a target company calling in a ransom negotiator.
'The strategy of Recovery Company™ is not to pay requested amount or to solve the case but to stall,' the group said, according to BleepingComputer.
'So we have nothing to loose in this case. Just the time economy for all parties involved.'
'What will this Recovery Companies™ earn when no ransom amount is set and data simply destroyed with zero chance of recovery? We think - millions of dollars. Clients will bring money for nothing. As usual.'
Deciphering the broken English, this boils down to the fact that Grief believes professional negotiators are only used to stall discussions. It prefers to hold the threat of data destruction over victims' heads to force faster payment.
Grief is the latest ransomware group to issue a warning about negotiators.
Last week, the Ragnar Locker group warned it would leak all exfiltrated data from victims who contact law enforcement authorities, like the FBI, after suffering a ransomware attack. The threat also applies to victims who contact data recovery firms to attempt decryption and conduct the negotiation process.
Since issuing the warning, the gang claims that it has followed through on the threat and published a victim's stolen data, after they called in a negotiator.
Ransomware groups do not like professional negotiators to be involved, as it can lead to reduced profits. It also stalls for time, allowing the victim to go through incident response procedures.
While Grief's warning puts further pressure on victims, it also appears to be an attempt to evade US sanctions.
The Grief group is believed to have links to Evil Corp, a Russian hacking group whom the US government has sanctioned. By issuing a warning against the use of negotiation firms, the group hopes its victims will not be alerted to sanction risks, and will eventually pay for a decryption key.
Grief is said to be a rebrand of DoppelPaymer, as it uses much of the same code. The group has been very active since the middle of May 2021, when DoppelPaymer's activity began to decline - about a week after DarkSide's ransomware attack on Colonial Pipeline in the USA.
Researchers at cloud security firm Zscaler analysed an early Grief (aka Pay or Grief) sample and found that the ransom note dropped on infected systems linked to the DoppelPaymer portal.
Both ransomware samples rely on similar code that implements identical encryption algorithms, import hashing, and entry point offset calculation.