Business Continuity Management / Disaster Recovery , Cyber Insurance , Cybercrime
Ragnar Locker: 'Talk to Cops or Feds and We Leak Your Data'Extortionists Revert to Scareware Tactics to Pressure Victims to Avoid Negotiators
Remember the ransom-note meme involving a picture of a puppy with a weapon leveled at its head, and a written warning that if you do anything wrong, the pooch bites the dust?
See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward
The Ragnar Locker ransomware operation is taking a page from that approach and threatening to dump victims' stolen data if they breathe a word of the attack to law enforcement officials - or attempt to bring in professional investigators or negotiators - before paying the ransom.
"Perhaps the criminals watched too many TV shows, because this isn't how the real world works."
"If you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately," reads a statement posted to Ragnar Locker's dedicated data leak site, as Bleeping Computer first reported.
"Don't think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie," Ragnar Locker claims in the post to its Tor-based site.
This isn't the first time that someone associated with Ragnar Locker has tried to think outside the box. Last November, in an episode of "Facebook shaming," Ragnar Locker hacked into an unaffiliated third-party organization's account on the social network to upload a post advertising that it had crypto-locked systems at Italian liquor company Campari, which it demanded either pay a ransom or see its stolen data get leaked.
With the latest gambit, the extortionists appear to be trying to bring pressure on victims not to think, but simply to act.
"I think the threat actors are trying to take advantage of the initial shock of the attack to pressure victims into making a rushed decision," says John Fokker, the principal engineer and head of cyber investigations and operational intelligence at security firm McAfee. He likens the move to pulling a page out of the old scareware social-engineering playbook, of which previous examples include demanding a payoff from someone the attackers claim to have recorded watching porn via their webcam.
"I viewed this post as just another thin threat to try and scare victims from doing the right thing and getting the type of professional help some may need," says Bill Siegel, CEO of ransomware incident response firm Coveware.
Indeed, unless the ransomware attackers are monitoring all communications inside a company in real time, they also won't know if an organization has contacted law enforcement officials or if a professional negotiator might be handling all communications. In addition, just because Ragnar Locker claims to have stolen data doesn't mean it did steal data, or that it stole anything sensitive (see: Secrets and Lies: The Games Ransomware Attackers Play).
"Perhaps the criminals watched too many TV shows, because this isn't how the real world works," Fokker says of Ragnar Locker's latest gambit. "Threat actors know the police will be involved, as well as incident response and negotiation firms. So while this strategy might work for a very small portion of victims, it will be very difficult for a threat actor to know who is actually behind the keyboard."
Expert: Talk to Negotiators Before Paying
That a ransomware operation is attempting to pressure victims into not working with negotiators suggests they are, in fact, oftentimes very effective advocates for victims.
"The fact that gangs don't want victims to involve negotiators or law enforcement help is a very clear indication that they should," says Brett Callow, a threat analyst at security firm Emsisoft. "In fact, it's the best possible endorsement of their services."
Ransomware-battling veteran Fabian Wosar, CTO of Emsisoft, "strongly suggests" that any victim that is considering paying a ransom - because they are unable to restore from backups, or because of the threat posed by stolen data being leaked is too great - first contact a professional ransomware negation service, for two main reasons.
One is ease: "The ransomware negotiators, they can actually give you a proper invoice, and you don't have to explain to your local tax service what that huge bitcoin transfer was," Wosar told me earlier this year (see: Alert for Ransomware Attack Victims: Here's How to Respond).
"But the other one is that a lot of these negotiating services like Coveware, for example, they have vast experience when it comes to handling these cases," he says. "They have large databases that allow them to give you an idea how long it's going to take, whether or not the threat actor will just take your money and run. And they will also have valuable insight into whether or not the decryptor that you will get back when you pay the ransom is actually working. Because not all these decryptors actually perform reasonably well; a lot of them kind of have issues."
More than a dozen ransomware negotiation firms, including Arete Advisors and Gemini Advisory, offer such services, and so do multiple law firms and in-house teams at cyber insurance providers, which can also provide trusted referrals.
But as some reports have noted, not all ransomware response firms are trustworthy. "Victims of ransomware do need to be aware of data recovery companies that are not transparent with victims and often work directly with the threat actors to split the ransom, while claiming they can decrypt files without having to pay a ransom," Coveware's Siegel says.
Midlevel Ransomware Operation
The rise of ransomware incident response firms - at least the trustworthy ones - represents one way in which the security community has been moving to blunt the rise of operations such as Ragnar Locker, which first appeared in December 2019.
Last November, threat intelligence firm Intel 471 classified Ragnar Locker not as being one of the top-tier players, which then included DopplePaymer, Egregor, Netwalker, Ryuk and Sodinokibi, aka REvil. Instead, it classified Ragnar Locker as being one of nine up-and-coming, midlevel ransomware-as-a-service operations. It noted that the ransomware could also be procured via the Exploit cybercrime forum.
In April 2020, the FBI warned of an increase in attacks tied to the Ragnar Locker. But blockchain analysis firm Chainalysis reports that the operation has never ranked in the top 10 ransomware strains by revenue.
Ragnar Locker's data leak site demonstrates that the operation continues to rack up fresh victims. But based on its pedestrian shakedown moves, it's not clear that this midlevel player is set to become a more potent threat - at least not anytime soon.