Does Ragnar Locker veto on negotiators change the extortion game?

The FBI’s Cyber Division leads the nation’s efforts to investigate and prosecute internet crimes. (FBI)

The Ragnar Locker group made headlines over the weekend for threatening to leak all victim files if they went to law enforcement for help. But the threat concerning law enforcement was couched in a more unique earning: that using the wrong negotiator may be tantamount to going to the police or attempting a data recovery behind its back.

"We've seen it in negotiations in the past where ransom groups will say don't go to the police," said Bryce Webster-Jacobsen, director of intelligence operations at GroupSense, a firm with a large ransomware negotiation practice. "I definitely don't recall ever seeing one where they equated going to the police with bad negotiating tactics."

While it is not uncommon to tell victims not to go to the authorities, many extortionists understand it is a price of doing business. There are logistical problems with not going to law enforcement in many cases. It can be required by law or may be required in the insurance process to get a ransom paid.

Webster-Jacobsen said that GroupSense always advises clients to go to law enforcement, and will continue to advise them to go to law enforcement. But, he said, they will always abide by a victim's choice.

That said, ransomware actors have not traditionally been as publicly indignant about negotiators acting in bad faith, as Ragnar Locker wrote on its blog.

"In our practice we has facing with the professional negotiators much more often in last days. Unfortunately it's not making the process easier or safer, on the contrary it's actually makes all even worse. Such negotiator are usually working in recovery companies affiliated or even working directly in Police/FBI/investigation agency and etc. They are totally not interested in commercial success of their clients or in safety of theirs private data." Ragnar Locker wrote on its blog. (Typos and grammatical errors were maintained for accuracy.)

"So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised Data immediately."

Standard industry practice is for the negotiators not to be part of the data recovery team. and in the past, ransomware actors have requested to not deal with with certain negotiators due to bad rapport. That said, the closest scenario to the Ragnar Locker demand about negotiators that Webster-Jackson is aware of was as much about victim protection as protection for the criminals.

"In the past we've seen a group that has put out a warning against working with negotiators who were less than ethical," he said. "They were negotiators who charged a flat fee that included the ransom and kept the difference."

The unusually public nature of the announcement, combined with the unorthodox connection of negotiators and law enforcement, raised questions among negotiators and intelligence analysts about what spurred on the Ragnar Locker post.

"When I see something like this. I have to ask myself what is really the end goal," said Jon DiMaggio, chief security strategist at the threat intelligence platform Analyst 1. "At the end of the day it is about money; I think that they just feel that they have a greater opportunity to collect a stronger ransom."

Does it matter? And does this tactic shift how victims should react to extortion attempts? DiMaggio, who is not a negotiator, sees such demands changing little in terms of the status quo, even when dealing with Ragnar Locker.

"At the end of the day, I think we'll still continue to see business as usual. You're going have to get law enforcement involved, you're going to have to get a negotiator, and you're maybe going to have to just tread water a little bit differently in how you actually interact with them," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.