grief

Grief, also known as Pay or Grief, is a ransomware group that emerged in May 2021 and is widely believed to be operated by actors linked to the Evil Corp cybercrime syndicate. It operates as a Ransomware-as-a-Service (RaaS) platform, using a double-extortion strategy: encrypting files while threatening to leak stolen data via its Tor-based leak site. Grief’s ransomware payload uses strong encryption (commonly RSA-2048 + AES-256) and typically appends the .grief extension to files. The group has targeted organizations across multiple sectors, including government, finance, education, and manufacturing, with a focus on U.S. and European entities. Grief has been associated with infrastructure and code overlaps from the earlier DoppelPaymer ransomware and uses phishing emails, malicious attachments, and compromised RDP credentials for intrusion. In late 2021, the U.S. Treasury’s OFAC issued sanctions against Grief due to its ties with Evil Corp, making ransom payments to the group legally risky for victims in the U.S.