Ransomware Attackers Article

Flush with the spoils of successful attacks, criminal ransomware organizations are evolving at an unprecedented pace. The most sophisticated now employ strategies including targeted research, enhanced pressure tactics and proprietary technologies. Attackers aim to create a sense of corporate crisis and force victim companies to make an emotional and immediate decision to pay the ransom.

These advanced actors comb publicly available data sources for details such as cyber insurance policies and compensation to scale their ransom demands. Once an attack is launched, they ramp up corporate terror by contacting top executives and downstream partners or exposing victim companies via online “shame sites.” They even launch denial of service attacks mid-negotiation.

Because of the criminal sector’s growing scale, the number of ransomware attacks, the scope of demands and the number of victim companies are all ballooning. Companies stand to lose reputation, operating time and cash.

Emerging Trends 

Ransom demands based on attacker research. The two primary ways that Tracepoint is seeing threat actors establish the ransom demand amount are: 

  1. Open-source research on the gross revenue of the company coupled with executive compensation, if available.

  2. Whether the company has cyber insurance.

Ransomware actors calling out possible professional ransomware negotiators. Our Dark Web Threat Intelligence is seeing attackers calling out what they feel are professional - yet unsophisticated – negotiators. The threat actors cite seeing the use of a consistent script in discussions as the telltale sign, threatening to destroy data if they feel like they are engaging with a professional negotiator. 


Have your cyber security team in place before an attack.
Speed to engagement is critical in a ransomware event. The chaos of a corporate crisis is no time to be evaluating firms’ capabilities. Engaging a cyber security firm before the worst happens gives you time to harden your systems and plan for speedy recovery if the worst occurs.

Ransomware Playbook
Companies should have a comprehensive and well-rehearsed Ransomware Playbook in place. Defining roles and responsibilities within the organization is essential for an effective response to a Ransomware attack. Having a playbook in place that has been tested via a controlled tabletop or wargaming exercise is also essential. The exercise tests the roles, procedures and assumptions contained within the playbook and allows companies to identify the strengths as well as the weaknesses in their response strategy. 

Become an undesirable target.
Just like traditional criminals, ransomware attackers go for low-hanging fruit first.
For example: Running software that isn’t updated is the equivalent of leaving your car unlocked on the street. Even organizations that lack the most sophisticated attack tools can target companies that haven’t patched known vulnerabilities. Deploying a robust patching program is like locking your doors — it encourages the average criminal to move on.

Acquire cyber insurance.
To become a good candidate, conduct a breach audit and certification from a reputable cyber security vendor. 

Before a breach: Build resilience into your network.
While doing everything possible to prevent it, operate under the assumption that you will be attacked.

  1. Identify and protect the documents that would be most harmful if accessed, such as customer PII, employee health data, trade secrets and the amount of cyber security coverage you hold.

  2. Deploy standard security measures, such as multi-factor authentication and EDR (Endpoint Detection and Response), to slow or stop intruders before they cause harm.

  3. Build an insider threat program. Besides safeguarding technology, companies must also look to human vulnerability. An emerging threat on the cyber ransom horizon is the prospect of well-funded organizations bribing employees to introduce malware internally. 

  4. Lay the groundwork for a quick recovery. Example: backups. Cyber attackers hunt for data backups to lock up, preventing companies from recovering their system capabilities. An attack-resistant company has off-premises backups that are air gapped from the network, inaccessible to hackers.

Should a breach occur
An experienced guide is needed to navigate this corporate crisis. A competent service provider will have a long track record of securing critical environments and a deep understanding of the threat landscape both now and in the future. A cyber security team will fight the attackers’ attempts to foment panic on multiple fronts: 

  1. Negotiation. Experienced cyber ransom negotiators are able to discern sophisticated attackers from petty crooks, stay in control of the process and advise companies on how to respond to threats and promises. The ideal outcome of negotiations is nonpayment. In cases where ransom is paid, Booz Allen clients have lost an average of only 10%of initial demands.

  2. Investigation. Parallel with negotiation, a competent cyber security team will forensically map the extent of network infiltration and identify compromised files. This information can both strengthen the victim company’s position and facilitate recovery.

  3. Communication. Employees, customers, partners and the media will all need to be informed to some extent, in a manner that highlights the company’s competent handling of the incident and prevents panic.

  4. Legal and regulatory considerations. Companies may be required to disclose breaches, such as leaks of customers’ PII.

  5. Companies considering making a payment must perform due diligence to identify the attackers, to rule out inadvertently violating Office of Foreign Asset Control (OFAC), Anti-Money Laundering (AML) and other state, federal and international laws. .

  6. Recovery and Remediation. The goal is to minimize business interruption and long-term damage, and to prevent a repeat attack. The steps to a full recovery include cleansing the system of ransomware, restoring employees’ access to needed data and deploying any needed security improvements to ensure that the company will be more resilient the next time a breach is attempted.

Connect with this topic

Meet the Authors:

Bridget Q. Choi

Nathaniel Hall