{
	"id": "4fd135fa-0b22-4538-814a-d26b95df24ce",
	"created_at": "2026-04-06T00:09:42.332201Z",
	"updated_at": "2026-04-10T03:21:45.80482Z",
	"deleted_at": null,
	"sha1_hash": "d4828e80fe0bc383d15cd7e8efafe968e88c886a",
	"title": "Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 385990,
	"plain_text": "Ragnar Locker reminds breach victims it can read the on-network\r\nincident response chat rooms\r\nBy Joe Uchill\r\nPublished: 2021-12-03 · Archived: 2026-04-05 23:21:49 UTC\r\nRedacted version of Ragnar Locker's screen capture, including watermark added by Ragnar Locker.\r\nPotentially identifying details about the victims or attack have been removed.\r\nOn Thursday, the Ragnar Locker ransomware group published the first batch of files stolen from a French\r\ncomputer and electric goods store it had victimized. Along with the archives were a series of screenshots taken\r\nwhile on the victim's network, including one from inside an incident response chat.\r\nRagnar Locker had been monitoring their victims as they discussed how to respond.\r\nIt is common for security teams to forget that chats and email accounts that live on breached networks will no\r\nlonger be secure, a variety of breach responders, negotiators, and preparation consultants told SC Media.\r\n\"What I've found is that a lot of times in playbooks communications are addressed mostly as from a standpoint of\r\nwhen to address whom within the organization or externally. It's not as much about the integrity of those\r\ncommunications,\" said Trevin Edgeworth, director of Bishop Fox's red team practice.\r\nThere is an easy fix: during crisis planning, prepare out-of-band communications, anything from dedicated crisis\r\nconsumer email accounts to secure chat apps.\r\nForgetting that, they say, has made many breaches worse.\r\nhttps://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms\r\nPage 1 of 2\n\n\"We've seen before where the attacker intercepted an Excel spreadsheet with the containment and eradication\r\nstrategy,\" said David Wong, vice president of Mandiant Consulting. \"So after we said that on Saturday at\r\nmidnight, we're gonna reset those accounts, we're gonna block their IPs, we're gonna shut down the systems,\r\nFriday night, right before we're about to do what we're gonna do, they create backdoors elsewhere in their network\r\nfrom different infrastructure.\"\r\nIt is not just a matter of making breaches more persistent. During ransomware attacks, ransomware actors can\r\ncatch victims discussing bringing in negotiators or police against the demands of a ransom note, or overhear\r\nstrategic discussions of pricing. \"You don't want them to hear you say, 'We can afford $10 million. We think we\r\ncan get them down to $2 million if we offer them $500,000,\" said Wong.\r\nSetting up out-of-band communications in advance is key to having them available in an emergency. Setting up a\r\nnew communications system adds another wrinkle to the chaos around a breach, especially since you cannot use\r\ncommunications systems that may have been breached to coordinate moving to that new system.\r\nPersonal email accounts may not be a reasonable option for out-of-band contact. While the actors behind a breach\r\nmight not have access to them, if someone sues the company over a breach, those accounts may be open to a\r\nsubpoena, noted Wong.\r\nIn the end, communications is one of a number of oft-overlooked services an enterprise may rely on to handle a\r\nbreach that could be disrupted during a breach.\r\n\"What companies don't realize is how short a path it is from domain compromise to doing other damage,\" said\r\nEdgeworth. \"Gaining complete control of a domain is to having access to the most sensitive areas of your\r\norganization, be that your messaging and communications, or your customer data repositories, or your data\r\nbackups. It's all coming off of that domain compromised.\"\r\nGet essential knowledge and practical strategies to protect your organization from ransomware attacks.\r\nSource: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms\r\nhttps://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms"
	],
	"report_names": [
		"ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms"
	],
	"threat_actors": [],
	"ts_created_at": 1775434182,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4828e80fe0bc383d15cd7e8efafe968e88c886a.pdf",
		"text": "https://archive.orkl.eu/d4828e80fe0bc383d15cd7e8efafe968e88c886a.txt",
		"img": "https://archive.orkl.eu/d4828e80fe0bc383d15cd7e8efafe968e88c886a.jpg"
	}
}