Despite spurious reports that the infamous Ragnar Locker ransomware gang had quit and published its decryption keys, it turns out that it’s still active and actively threatening its victims.

As first reported today by Bleeping Computer, the Ragnar Locker gang is warning its victims that it will leak stolen data if they contact law enforcement authorities, such as the U.S. Federal Bureau of Investigation. The announcement was made on the Ragnar Locker dark web page this week. The threat also applies to victims contacting data recovery experts to attempt to remediate and recover their data.

If the victim contacts the FBI or a data recovery company, Ragnar Locker says that it will publish the victim’s stolen data on its dark web leak site.

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately,” the gang said.

Ragnar Locker is a well-known double-tap ransomware gang, so called because it both encrypts files and steals data, demanding a ransom payment for both a decryption key and a promise not to publish the stolen data. It’s also an arguably innovative ransomware gang, having previously taken to buying Facebook Inc. advertising to put pressure on its victims to pay up.

Victims of Ragnar Locker include Italian drinks maker Davide Campari-Milano S.p.A, French shipping giant CMA CGM S.A. in September 2020 and Japanese video game developer Capcom Co. Ltd.

“These threats will certainly disincentivize many victims from contacting the authorities,” Ilia Kolochenko, founder of penetration testing company ImmuniWeb SA, told SiliconANGLE. “Nonetheless, in many ransomware cases, law enforcement agencies are of little to no help for the victims being overloaded with pending cases and complex investigations. But hiring external or internal professionals to meticulously investigate the incident is crucial for all victimized companies.”

Kolochenko explained that ransomware attacks sometimes involved fairly worthless information and that the publication of the stolen data may cause no tangible damage. But that is not always case.

“When regulated data, such as medical records, is stolen, breached companies have a duty to report the incident to competent authorities as a matter of law,” Kolochenko noted. “If they conceal the incident, they may face harsh legal ramifications including criminal prosecution. Furthermore, as countless cases convincingly illustrate, following the instructions of ransomware gangs never guarantees that your data won’t be leaked or resold sooner or later.”

Image: Ragnar Locker/Twitter