Chris Swagler | September 9th, 2021

ragnar locker ransomware

A ransomware group, Ragnar Locker, is threatening to publish data on their dark web leak site if victims attempt to contact the FBI, any law enforcement authorities, or investigative agencies. This threat also includes data recovery experts attempting to decrypt the data and conducting the negotiation process. In previous ransomware attacks, the group has breached well-known companies and demanded millions of dollars in ransom payments.

The threat actors state that the data recovery process will be more difficult if the victim companies hire “professional negotiators” because these negotiators often work with data recovery companies associated with the FBI or other law enforcement agencies.

Ragnar Locker issued a statement on their data leak website warning, anyone who tries to hire a recovery company to handle negotiations or tries to contact the police, FBI, or investigator, the group will view them as hostile intents and will immediately publish the entire batch of breached data. The threat actors are known for implementing ransomware payloads manually to encrypt the victim’s network. Before the ransomware group begins the data encryption process, they will conduct reconnaissance to find network resources, company backups and other sensitive data.

In the past, Ragnar Locker has breached other companies including Capcom, a Japanese game maker, ADATA, a computer chip manufacturer, and Dassault Falcon, an aviation company.

Groups such as Ragnar Locker will test many different tactics to squeeze payments out of victims. Although this group is threatening a data leak for any contacts to the FBI or security firms, it’s worth reaching out to these contacts anyway. SpearTip’s engineers have experience in these situations and will negotiate with threat actors, so your organization doesn’t have to. Threat actors are not to be trusted in any incident, and there’s a good chance they’ll leak your data in some capacity regardless of ransomware payment status. Involving a forensics firm with incident response capabilities is crucial for your organization’s recovery and future protection in this type of incident.

At SpearTip, our certified engineers work around the clock, 24/7, at our Security Operations Centers and will continuously monitor your networks for any potential intrusions like those performed by Ragnar Locker threat actors.

Contacting SpearTip for response cases is beneficial, but a more effective route of protection is being proactive. SpearTip’s ShadowSpear platform is the best proactive tool for the protection of your organization. It will stop ransomware threats before they ever have the chance to infect your organization’s machines and gives you a direct line of communication with our engineers should your team have any questions.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.