The Grief ransomware gang threatens to delete the victim’s decryption keys if they hire a trading company, making it impossible to recover the encrypted files.

Last week, BleepingComputer first reported that the Ragnar Locker ransomware gang threatened to automatically publish a victim’s stolen data if they contacted law enforcement or trading companies.

Ransomware gangs do not like professional negotiators to be involved in attacks, as this can lead to lower profits and delay while a victim responds to an incident.

Ragnar Locker argues that ransomware trading companies are only there to make money and are not in the best interests of the victim.

“The recovery company will charge you, maybe even help you return the data if our operation was not perfect, they will try to bring the price down, and therefore their customers’ data will simply be in the domain. public because we’ll release it, ”Ragnar Locker posted on their data breach site.

Since issuing this warning, Ragnar Locker has already claimed to release the entire stolen data of a victim after hiring a ransomware negotiator.

Grievance gang goes even further.

On Monday, the Grief gang (aka ‘Pay or Grief’) took these threats a step further by saying they would remove a victim’s decryption key if they hired a ransomware negotiator.

“We want to play a game. If we see a professional negotiator from Recovery Company ™, we’ll just destroy the data.

Recovery Company ™, as we mentioned above, will get paid anyway. Recovery Company ™ strategy is not to pay the requested amount or resolve the matter but to stall. So we have nothing to lose in this case. Just saving time for all parties involved.

What is it going Recovery companies ™ to win when no ransom amount is set and data is simply destroyed with no chance of recovery? We think – millions of dollars. Customers will bring money for nothing. As usual. “- Ransomware gang grievance.

They say if a grievance victim hires a negotiator, the ransomware gang will delete the victim’s decryption key, making file recovery impossible.

While Grief makes this threat to put additional pressure on the victims, it’s probably also made for another reason, to evade US sanctions.

The Grief ransomware is said to be linked to a Russian hacking group known as Evil Corp, which the US government has sanctioned.

By banning ransomware trading firms, they hope that victims will not be alerted to the risk of sanctions and therefore will not pay.

Escaping American Sanctions

Evil Corp is a cybercrime group best known for creating and distributing the Dridex banking Trojan and various ransomware families.

When the group started, it used the Dridex Trojan to steal online banking credentials and transfer funds to bank accounts under their control.

In 2017, the gang started using BitPaymer ransomware in attacks on the company.

In 2019, a new ransomware operation emerged called DoppelPaymer, which shares much of the same code as BitPaymer. However, it is not clear whether DoppelPaymer is operated by Evil Corp (aka INDRIK SPIDER) or another group.

“BitPaymer and DoppelPaymer continue to operate in parallel and new victims from both ransomware families were identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, do not just indicate a fork of BitPaymer code base, but an entirely separate operation “, CrowdStrike explained in a report at the time.

“This may suggest that the threat actor who exploits DoppelPaymer has split off from INDRIK SPIDER and is now using the forked code to perform his own Big Game Hunting ransomware operations.”

After the United States indicted members of Evil Corp for stealing more than $ 100 million, it also added the cybercriminal gang to the Office of Foreign Assets Control (OFAC) sanctions list.

The US Treasury subsequently warned that ransomware negotiators could face civil penalties for facilitating ransomware payments to ransomware gangs on the sanctions list.

Evil Corp has started rolling out new ransomware variants under different names to evade US sanctions, such as WastedLocker, Hades, Phoenix CryptoLocker, and PayLoadBin.

While Evil Corp used these different variations, Operation DoppelPaymer ran simultaneously until May 2021, when they stopped listing new victims on their data breach site.

A month later, the new Grief ransomware gang emerged, which would be a new image of DoppelPaymer as it uses much of the same code.

As organizations believe there is a strong enough connection between DoppelPaymer / Grief and Evil Corp, they probably changed their name to avoid US sanctions.