Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Ransomware Gang Threatens to Wipe Decryption Key if Negotiator Hired

Ransomware Gang Threatens to Wipe Decryption Key if Negotiator Hired

The Grief ransomware gang is threatening to delete victim’s decryption keys if they hire a negotiation firm, making it impossible to recover encrypted files.

Last week, BleepingComputer first reported that the Ragnar Locker ransomware gang threatened to automatically publish a victim’s stolen data if they contacted law enforcement or negotiation firms.

Ransomware gangs do not like professional negotiators to be involved in attacks, as it can lead to lowered profits and the stalling of time while a victim performs an incident response.

Ragnar Locker argues that ransomware negotiation firms are only there to make money and are not in the victim’s best interest.

“The recovery company will charge you, maybe even help you return the piece of data if our operation was not perfect, they will try to bring down the price, and as a result, the data of their clients will simply be in the public domain, because we will publish it,” Ragnar Locker posted on their data leak site.

Since they made this warning, Ragnar Locker has already claimed to publish a victim’s entire stolen data after they hired a ransomware negotiator.

Also Read: PDPA Compliance for HR Managers in Singapore: A Must

Grief gang takes it a step further.

On Monday, the Grief gang (aka ‘Pay or Grief’) took these threats one step further by saying they will delete a victim’s decryption key if they hire a ransomware negotiator.

“We wanna play a game. If we see professional negotiator from Recovery Company™ – we will just destroy the data.

Recovery Company™ as we mentioned above will get paid either way. The strategy of Recovery Company™ is not to pay requested amount or to solve the case but to stall. So we have nothing to loose in this case. Just the time economy for all parties involved.

What will this Recovery Companies™ earn when no ransom amount is set and data simply destroyed with zero chance of recovery? We think – millions of dollars. Clients will bring money for nothing. As usual.” – Grief ransomware gang.

They are saying that if a Grief victim hires a negotiator, the ransomware gang will delete the victim’s decryption key, making it impossible to recover files.

Full post by Grief ransomware gang
Full post by Grief ransomware gang

While Grief is making this threat to put further pressure on victims, it is likely also made for another reason, to evade US sanctions.

Grief ransomware is believed to be tied to a Russian hacking group known as Evil Corp, which the US government has sanctioned.

By banning ransomware negotiation firms, they hope that the victims will not be alerted of sanctions risks and thus not pay.

Evading US sanctions

Evil Corp is a cybercrime group best known for creating and distributing the Dridex banking Trojan and various ransomware families.

When the group first started, it used the Dridex trojan to steal online banking credentials and transfer funds to bank accounts under their control.

In 2017, the gang started using the BitPaymer ransomware in attacks against the enterprise.

In 2019, a new ransomware operation emerged called DoppelPaymer, which shares much of the same code as BitPaymer. However, it is not clear if DoppelPaymer is operated by Evil Corp (aka INDRIK SPIDER) or another group.

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,” CrowdStrike explained in a report at the time.

“This may suggest that the threat actor who is operating DoppelPaymer has splintered from INDRIK SPIDER and is now using the forked code to run their own Big Game Hunting ransomware operations.”

After the US charged members of the Evil Corp for stealing over $100 million, it also added the cybercrime gang to the Office of Foreign Assets Control (OFAC) sanction list.

The US Treasury later warned that ransomware negotiators may face civil penalties for facilitating ransomware payments to ransomware gangs on the sanction list.

Evil Corp began deploying new ransomware variants under different names to evade US sanctions, such as WastedLockerHadesPhoenix CryptoLocker, and PayLoadBin.

While Evil Corp used these different variants, the DoppelPaymer operation concurrently ran until May 2021, when they stopped listing new victims on their data leak site.

Also Read: 5 Workplace Tips: Protecting Information on Mobile Devices

One month later, the new Grief ransomware gang emerged, which is believed to be a rebrand of DoppelPaymer as it uses much of the same code.

As organizations believe there is a strong enough nexus between DoppelPaymer/Grief and Evil Corp, they likely rebranded to avoid US sanctions.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us