{ "id": "3decc420-a162-4cea-be19-739a6ed25675", "created_at": "2026-04-06T00:08:52.948478Z", "updated_at": "2026-04-10T03:33:15.485488Z", "deleted_at": null, "sha1_hash": "ba5859fe640575f8046e3191071d9f360555cffd", "title": "Ransomware gang threatens to wipe decryption key if negotiator hired", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2560633, "plain_text": "Ransomware gang threatens to wipe decryption key if negotiator hired\r\nBy Lawrence Abrams\r\nPublished: 2021-09-15 · Archived: 2026-04-05 22:43:53 UTC\r\nThe Grief ransomware gang is threatening to delete victim's decryption keys if they hire a negotiation firm, making it\r\nimpossible to recover encrypted files.\r\nLast week, BleepingComputer first reported that the Ragnar Locker ransomware gang threatened to automatically publish a\r\nvictim's stolen data if they contacted law enforcement or negotiation firms.\r\nRansomware gangs do not like professional negotiators to be involved in attacks, as it can lead to lowered profits and the\r\nstalling of time while a victim performs an incident response.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nRagnar Locker argues that ransomware negotiation firms are only there to make money and are not in the victim's best\r\ninterest.\r\n\"The recovery company will charge you, maybe even help you return the piece of data if our operation was not perfect, they\r\nwill try to bring down the price, and as a result, the data of their clients will simply be in the public domain, because we will\r\npublish it,\" Ragnar Locker posted on their data leak site.\r\nSince they made this warning, Ragnar Locker has already claimed to publish a victim's entire stolen data after they hired a\r\nransomware negotiator.\r\nGrief gang takes it a step further.\r\nOn Monday, the Grief gang (aka 'Pay or Grief') took these threats one step further by saying they will delete a victim's\r\ndecryption key if they hire a ransomware negotiator.\r\n\"We wanna play a game. If we see professional negotiator from Recovery Company™ - we will just destroy the\r\ndata.\r\nRecovery Company™ as we mentioned above will get paid either way. The strategy of Recovery Company™ is\r\nnot to pay requested amount or to solve the case but to stall. So we have nothing to loose in this case. Just the time\r\neconomy for all parties involved.\r\nWhat will this Recovery Companies™ earn when no ransom amount is set and data simply destroyed with zero\r\nchance of recovery? We think - millions of dollars. Clients will bring money for nothing. As usual.\" - Grief\r\nransomware gang.\r\nThey are saying that if a Grief victim hires a negotiator, the ransomware gang will delete the victim's decryption key,\r\nmaking it impossible to recover files.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/\r\nPage 3 of 6\n\nFull post by Grief ransomware gang\r\nWhile Grief is making this threat to put further pressure on victims, it is likely also made for another reason, to evade US\r\nsanctions.\r\nGrief ransomware is believed to be tied to a Russian hacking group known as Evil Corp, which the US government has\r\nsanctioned.\r\nBy banning ransomware negotiation firms, they hope that the victims will not be alerted of sanctions risks and thus not pay.\r\nEvading US sanctions\r\nEvil Corp is a cybercrime group best known for creating and distributing the Dridex banking Trojan and various ransomware\r\nfamilies.\r\nWhen the group first started, it used the Dridex trojan to steal online banking credentials and transfer funds to bank accounts\r\nunder their control.\r\nIn 2017, the gang started using the BitPaymer ransomware in attacks against the enterprise.\r\nIn 2019, a new ransomware operation emerged called DoppelPaymer, which shares much of the same code as BitPaymer.\r\nHowever, it is not clear if DoppelPaymer is operated by Evil Corp (aka INDRIK SPIDER) or another group.\r\n\"Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have\r\nbeen identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer\r\nand DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,\" CrowdStrike\r\nexplained in a report at the time.\r\n\"This may suggest that the threat actor who is operating DoppelPaymer has splintered from INDRIK SPIDER and is now\r\nusing the forked code to run their own Big Game Hunting ransomware operations.\"\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/\r\nPage 4 of 6\n\nAfter the US charged members of the Evil Corp for stealing over $100 million, it also added the cybercrime gang to the\r\nOffice of Foreign Assets Control (OFAC) sanction list.\r\nThe US Treasury later warned that ransomware negotiators may face civil penalties for facilitating ransomware payments to\r\nransomware gangs on the sanction list.\r\nEvil Corp began deploying new ransomware variants under different names to evade US sanctions, such\r\nas WastedLocker, Hades, Phoenix CryptoLocker, and PayLoadBin.\r\nWhile Evil Corp used these different variants, the DoppelPaymer operation concurrently ran until May 2021, when they\r\nstopped listing new victims on their data leak site.\r\nOne month later, the new Grief ransomware gang emerged, which is believed to be a rebrand of DoppelPaymer as it uses\r\nmuch of the same code.\r\nAs organizations believe there is a strong enough nexus between DoppelPaymer/Grief and Evil Corp, they likely rebranded\r\nto avoid US sanctions.\r\nUpdate 9/1/21: The Record's Catalin Cimpanu claims that Grief told him this does not mean they will be deleting decryption\r\nkeys, but instead they will destroy the data on victim's servers they still have access to.\r\nIf this is indeed what they mean, then it is a limited threat as they likely do not continue to have access to all of their victim's\r\nnetworks.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/" ], "report_names": [ "ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434132, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba5859fe640575f8046e3191071d9f360555cffd.pdf", "text": "https://archive.orkl.eu/ba5859fe640575f8046e3191071d9f360555cffd.txt", "img": "https://archive.orkl.eu/ba5859fe640575f8046e3191071d9f360555cffd.jpg" } }