Is Grief's Threat to Wipe Decryption Key Believable?Analysts Say the Gang Is Escalating Rhetoric to Scare Victims
Regarding the recent tactical innovation by the Grief ransomware gang that is threatening to wipe a victim's data and decryption key if the victim engages a ransom negotiator, analysts are calling this a desperate ploy to scare a target into paying the ransom demand.
See Also: 2022 Unit 42 Incident Response Report
"If we see professional negotiator from Recovery Company. We will just destroy the data," Grief said in a statement first uncovered by Bleeping Computer.
Industry watchers believe Grief, Ragnar Locker and the other gangs that adopt this approach are trying to suggest a course of action by their victim that is beneficial to the criminal group and is a solid indicator that some of the defensive measures and actions being used by organizations now are effective.
"If a gang tells you not to seek outside help, it's because it's in their best interests that you don't. And, of course, their best interests are the exact opposite of your best interests. So ignore their threats and get help. Call in incident response professionals and call in law enforcement," says Brett Callow, a threat analyst with Emsisoft.
The Grief gang are threatening to immediately destroy data should their victims call in negotiators. pic.twitter.com/31Vsup3ioB— Brett Callow (@BrettCallow) September 14, 2021
Grief, which is believed to be a rebranded version of the Russia-based Evil Corp, jumped on the bandwagon that Ragnar Locker started rolling earlier this month when it warned potential victims the gang would immediately publicly dump their data if they talked to law enforcement agencies or recovery firms.
Only Good for Grief
Cyber analysts point out that caving to a threat or taking a course of action suggested by a cybercrime operation is not a good idea. But some acknowledge this type of pressure could scare a company with little experience in these areas into obeying.
Chris Clements, vice president of solutions architecture at the security firm Cerberus Sentinel, says the tactic is "primarily a strategy to ensure they maximize revenues long term," Clements says. "An inexperienced person at a company [that has been a victim of ransomware] may not know that most gangs will negotiate pricing with their victims at all, much less be skilled in ensuring they can negotiate the lowest rate."
Analysts also point out that the threat to wipe data and the decryption key is a sign ransomware gangs are having a tougher time lately and represents the next step in the process gangs started in late 2020, when they introduced extortion into the calculus a victim had to interpret when hit with ransomware.
"I know ransomware gangs are positioning this as a tough stance, but I tend to think it is more of a reaction to repeatedly losing ground to negotiators and outside organizations. Ransomware groups are not used to the level of scrutiny they are getting from all sides, and it is starting to show," Allan Liska, an intelligence analyst at Recorded Future, tells Information Security Media Group.
The Latest Twist
In Grief's darknet posting, it suggested that by forcing victims to avoid recovery companies, the gang was, in fact, saving them money because all such companies are interested in is making a quick dime off of the attack at the victim's expense.
"It's just a business model where Recovery Company earns its money just because it exists," Grief wrote. "The strategy of Recovery Company is not to pay the requested amount or to solve the case but to stall."
Clements says the gang is likely trying to avoid what it considers to be the time-wasting effort of negotiating. "I'm sure it's aggravating having to hold lengthy conversations with a negotiator that is likely in a time zone 8 to 10 hours behind you."
The fact that Grief and others want their victims to avoid professional help is a sure sign that obtaining such help is very important for any victim.
"Actors know that when professionals get involved (security folks, law enforcement, etc.), they can counsel the victim on how to negotiate and knock down the price, or might even refuse to pay altogether if some alternatives are identified," researchers at the threat intelligence firm Intel 471 told ISMG.
A Big Bluff
Clements says the odds of Grief or another gang following through on its threat to leak data is likely a gambler's bluff.
"I'd be more than willing to call this a bluff by the ransomware operators as it would likely wipe out any financial gains from victims who defy their orders if they followed through with their threats," Clements says.
The Intel 471 researchers agree: "It's about fear, scare tactics and social engineering to up the pressure. From denial-of-service attacks to making calls to customers and partners, etc., attackers hope to prompt panic and push victims over the edge, particularly with threats of further punishment if anyone else gets involved, such as law enforcement."
Clements, however, does see one scenario in which a gang might follow through on its threat. That would be to show the gang "means business," and any money lost would be recouped by others who are scared into complying by this action.