Since it re-emerged as a major threat several years ago, ransomware has become an evolving threat. Ransomware gangs regularly add new tactics and twists to their playbooks to increase pressure on victims. The latest development comes from the Ragnar Locker group, who are now threatening to publish sensitive information if the victim even makes contact with authorities like the FBI.
Ragnar Locker group ratches up tension for ransomware victims
The big development in ransomware in the last year or two has been the increasing practice of exfiltrating sensitive files and using them as blackmail material to add pressure. Though it is still not a majority practice, a number of the biggest ransomware gangs maintain dark web sites and blogs which they use to release confidential files to the public if victims fail to pay up within a certain amount of time.
Ragnar Locker is now threatening to dump these documents if targets contact investigative agencies, send requests to the police or even hire any recovery company. The ransomware gang issued the warning through its own dark web leaks site. It also warned that it would view the hiring of “professional negotiators” as a sign of “hostile intent,” claiming that negotiation firms can be expected to contact and work with law enforcement agencies as an opening move.
It is unclear how Ragnar Locker would determine if a target company has privately contacted the FBI or some other such agency, but the ransomware gang’s proclamation seemed to put a special emphasis on keeping away from these professional negotiation firms. The group claimed that it has dealt with them many times and believes that they “make things worse” by being involved from the beginning with a “police/FBI/investigation agency” in all cases.
Ransomware gangs evolve tactics in response to security and mitigation measures
Ragnar Locker began its activity in early 2020, and by the middle of the year it was considered a serious player among the ransomware gangs. The group’s ransomware targets Microsoft Windows systems with a special focus on managed service providers that can be responsible for the assets of hundreds to thousands of clients. The group is a little different from most of the current prominent ransomware gangs as it is not an “as a service” affiliate provider; the attacks seem to come from a core group that operates directly against its targets. Other groups have adopted the use of its ransomware and installers on their own, however, most notably the Maze group adopting its MSI installer in June of last year to deliver its own ransomware payloads.
Ragnar Locker has hit some big names since it began its criminal campaign in early 2020. Prominent victims include corporate travel firm CWT, Italian liquor vendor Campari, Japanese game publisher Capcom and aerospace firm Dassault Falcon Jet. The group is estimated to have taken in at least tens of millions of dollars in ransom money in the past year and a half, with CWT confirming that it made a $4.5 million payment to get its systems unlocked and Campari potentially having paid as much as $15 million to the group. Capcom was asked for $11 million and refused to pay, subsequently suffering leaks of data that appeared to include passports scans of Japanese employees and digital signatures.
Ransomware victims in a tough spot
The demand puts victims in an even tougher spot, as agencies such as the FBI generally advise that they be contacted immediately when a ransomware attack is detected. This is often very good advice, as these agencies are sometimes able to claw back a good portion of the stolen funds (as happened in the Colonial Pipeline attack). Reporting of ransomware attacks is also sometimes required by law, and the United States government has been looking to expand the range of circumstances in which this applies as of late.
Of course, it remains to be seen if Ragnar Locker will actually follow through with the threat. Ransomware gangs want to get paid first and foremost, and torching the deal as soon as a negotiator is contacted seems to be a move that would bring their overall revenues down considerably.
And as Ilia Kolochenko (Founder/CEO and Chief Architect of ImmuniWeb) observes, stolen data from victims is often not even worth making an extortion attempt with: “Sometimes, cybercriminals just steal pretty worthless information and its eventual publication will have no tangible damage. Contrariwise, when regulated data, such as medical records, is stolen, breached companies have a duty to report the incident to competent authorities as a matter of law. If they conceal the incident, they may face harsh legal ramifications including criminal prosecution. Furthermore, as countless cases convincingly illustrate, following the instructions of ransomware gangs never guarantees that your data won’t be leaked or resold sooner or later.”
As Kolochenko points out, ransomware gangs also cannot be trusted to keep their word and delete stolen data. If it is worth something, odds are it will pop up for sale on the dark web at some point in time. Ransomware gangs have a spotty track record of releasing decryption keys upon payment, but that record is shaping up to be better than their rate of keeping promises to delete stolen data or not share it with other criminal elements. Kolochenko agreed with the Ragnar Locker assessment that law enforcement agencies do not always help the situation, but advises bringing in whatever outside sources are necessary to help determine what the best next steps to take are: “Most importantly, when your company falls victim to a ransomware attack, is to stay calm and rapidly assess the scope and the nature of compromised data. It is also critical to disconnect compromised systems from the Internet while preserving volatile digital evidence. Thus, if required, external forensic and cybersecurity professionals should be promptly hired under supervision of an external law firm – this may give additional advantages in court proceedings if data is eventually leaked and victims sue for damage. Once the scope and impact of the incident are clear, the victims shall make a well-informed decision whether to contact law enforcement agencies or not.”