Ransomware criminal gang threatens any victim that contacts the FBI

Published 9/15/21, 9:00am

Ransomware attackers have added yet another extortion tool to their criminal arsenal. News reports surfaced last week that the Ragnar Locker ransomware gang announced via their darknet leak site that they planned to publish all the data stolen from ransomware victims if those victims sought the help of law enforcement, the FBI, or any other investigators. The threat also applies to any victim that contacts a data recovery expert for assistance with decryption or negotiation.

The Ragnar Locker gang is known for conducting extensive reconnaissance on victims before an attack and then manually deploying ransomware payloads to already encrypted systems to help discover additional corporate network resources, backups, or sensitive files. The gang has also been known to alternate payload obfuscation techniques to help avoid detection. 

While the Ragnar criminals claim that victims who contact law enforcement are making the recovery process worse, it is far more likely that the only individuals suffering in a professional negotiation setting are the criminals themselves. Further, although the Ragnar Locker criminals claim they ‘have ways’ to tell if a victim is working with law enforcement or other investigators, this is highly unlikely unless the Ragnar Locker criminals have now all become psychics.

The other irony in this threat is that cyber-insurance policies (which cybercriminals love because it tends to guarantee payment) often include clauses requiring the victim to comply with any incident disclosure regulations and laws or suffer fines.

Next Steps

Anyone that finds themselves a victim of ransomware is strongly urged to ignore threats of this nature coming from criminal ransomware gangs. Victims are encouraged to immediately contact a professional ransomware incident response team, inform law enforcement, review the terms of their cyber insurance policy, and comply with any regulations and laws pertaining to a cyberattack against their business. It is also important to note that the FBI does not support paying a ransom in response to an attack since it often does not guarantee that the victim will regain access to their data. Ransom payments also offer an incentive to the criminals to target more victims. The FBI also strongly encourages victims to report any incident to the local FBI field office since information gleaned about the attack can provide investigators with critical information to track ransomware criminals, hold them accountable, and prevent future attacks.