The Value of Engaging a Threat Actor: Leveraging Strategic Communications for Ransomware Response
Posted by: Drew Schmitt
Additional contribution to this blog from Jason Baker, Threat Intelligence Consultant
If you’ve found this blog because you’re currently experiencing a ransomware incident, reach out to the GuidePoint Research and Intelligence Team (GRIT) immediately to engage and assist with your ransomware response.
Executive Summary
The unfortunate reality is that far too many organizations are becoming victims of ransomware attacks. As outlined in our Q2 ransomware report, in 2023 GRIT had already observed 2,000+ publicly posted ransomware victims by the end of June; the true impact of ransomware is undoubtedly higher when considering the volume of organizations that have never been publicly posted after paying threat actors’ ransom demands.
Regardless of any intent to actually make a ransom payment, engaging the Threat Actor during a ransomware attack will provide significant value and critical context needed by business stakeholders, legal counsel, and incident responders to make informed decisions in a timely manner. Organizations leveraging an effective threat actor communications strategy often experience the following benefits:
- Provide More Time: More time to pursue risk evaluation, incident response, and recovery without added pressure from extortion attempts
- Reduce Follow-on Risk: Reduction of risk associated with follow-on extortion attempts such as Distributed Denial of Service (DDoS) or threat actors communicating with partners and employees
- Retrieve and Confirm Valuable Information: Confirmation of data exfiltration and insight into potential data exfiltrated from an environment
- Proof of Decryption: Validation that a ransomware actor can decrypt encrypted files from your environment
- Threat Actor Confirmation and Integration of Associated Threat Intelligence: Discovery of operational details pertaining to the ransomware attack
This blog will deep dive into the threat actor communications process and the value organizations can get from engaging with ransomware actors regardless of any intent to make a payment, and provide an understanding of how a threat actor communications team can be a value risk reduction and investigation asset while responding to a ransomware attack.
Threat Actor Communications During Ransomware Response
When faced with a ransomware attack, one of the earliest and most difficult decisions you have to make is whether or not to communicate with the threat actor (TA). Many organizations equate communicating with a TA with paying a ransom demand, but this could not be further from the truth. The conventional wisdom shared in response to the ransomware epidemic is that no payment should be made to a threat actor, but rarely is that decision as black and white as we would like it to be. Any decision regarding ransom payment can be a difficult one to make and often requires input from many teams and stakeholders. We will not dive deep into whether or not you should pay a threat actor to recover your files and prevent data from being posted publicly, but we know that there are significant upsides to communicating with threat actors regardless of any intent to make a payment to them.
There are a host of factors that will influence decision-making processes during a ransomware event, and this complexity can hamper effective response. To increase responsiveness and ensure alignment across teams, a threat actor communications (TAC) plan takes into account the individual considerations that are unique to your organization, including legal criteria, business risk factors, and data recoverability. The threat actor communications should consolidate these factors and internal communication requirements in a centralized plan that is pre-approved and ready to execute during time-sensitive ransomware incidents. As mentioned, this blog will not focus on whether or not to pay a ransom. Instead, we will focus on how you can leverage effective communications with TAs and why you should consider communications regardless of your intent to pay.
What Value can we Get from Engaging with the Threat Actor?
The purpose of engaging with a TA isn’t necessarily to negotiate a ransom payment, though that is a potential benefit of communication should that be the route your organization decides to pursue. Instead, communicating with a TA can buy critical time to assess a ransomware incident and decide whether or not payment is actually necessary for recovery. The communications process can also reduce or potentially eliminate risks related to additional extortion methods that are becoming increasingly common as TAs adopt new secondary and tertiary extortion tactics.
Creating a Time Buffer and Maximizing Your Time Horizon
Communicating with the TAs can secure more of the most important resource in a ransomware scenario: time. In the earlier days of ransomware, before double extortion was the main method of placing pressure on victims to pay, TAs leveraged hard and fast deadlines and countdowns that threatened victims with a cutoff for decryption, after which encrypted files would be unrecoverable. IT and cybersecurity professionals stepping up their backups and response plans have since forced a change in ransomware tactics, and threat groups have started layering in more coercive methods of forcing payment. Threat groups still leverage countdowns and deadlines, but now a countdown could lead to anything from public exposure on a name-and-shame site, publishing of sensitive data to a leak site, or sale of sensitive files on the deep and dark web.
Despite these new and increased threats, ransomware operators are heavily incentivized to receive payment, and it’s in their best interest to make concessions if they believe it will lead to an acceptable payout. Engaging with a TA and actively communicating is likely the only chance you have to extend the threat actor’s imposed time horizon, giving yourself a little bit more time to catch your breath and methodically proceed through your response plan. In scenarios where you do not intend to pay a ransom demand, you’ll need that extra time to get your risk-based business response ready, prep your legal and PR teams for the eventual public announcement and data leak, and to build a strategy for how to move forward with recovery, all while completing a technical investigation and remediating all gaps in your security posture.
Play it Cool and Keep Tensions to a Minimum
Most threat actors seem to believe that aggression is the only way they will get their victims to pay their demands. This is where threat actor communications experts, sometimes referred to as “negotiators”, can be a huge benefit. Through our experiences with threat actors, we have developed methods of effectively keeping tensions to a minimum in order to disincentivize secondary extortion efforts and prevent TAs from losing their cool.
If a ransomware operator feels like they aren’t being taken seriously, they will often pursue a “show of force” and take a more aggressive approach in an attempt to reach their intended goal. In some circumstances, they may send you a link to a private web page showing how your data will look on their site. Another common tactic is to launch a Distributed Denial-of-Service (DDoS) attack, which would only make your incident response and investigation efforts more difficult. Another approach TAs will take is to start contacting employees and partners to inform them of the ransomware attack, which can lead to difficult questions regarding “an ongoing breach” or even public knowledge of the attack. This is all in addition to the fact that there may also be tangible impacts for the business brand if partners and customers begin to lose confidence in your organization.
Leveraging a threat actor communications expert allows you to maintain greater awareness throughout the incident and gives you options for how to move forward while methodologically keeping the threat actor even-keeled. Threat actor communications experts leverage past experiences across multiple engagements with a threat group to produce a communication strategy that is most likely to keep the threat actor calm and collected while accomplishing goals outlined as part of the threat actor communications strategy.
Keep Them Talking to Maximize your Time Horizon and Learn About Their Operations
Engaging the TA supports your post-breach investigation capabilities and helps you gather threat intelligence pertaining to how the group operated in your environment and, if they exfiltrated data, what data they may have obtained from your organization. Despite what the ransom note may say, there’s no guarantee that everything the note says happened actually happened. For example, engaging with the TA gives you time to confirm that data exfiltration actually occurred, either by checking your network traffic logs and DLP tools or by asking them for direct proof of what data they have in their possession. It also gives you more of an opportunity to confirm the full extent of the attack so you can be sure there aren’t any surprises in store for you later, especially if you do not pay their demand. Another key component of this process is to ensure that threat actors have the means to decrypt your files, both in case you need a decryptor to recover your files and to glean critical information on the level of sophistication of the group’s operations.
Engaging with the TA can give you some much-needed breathing room to conduct your investigation with minimal interference and confirm that you know the full extent of what happened. But beyond that, it can help with your incident response efforts. Communications can give you key details for attribution so you can identify a group’s tactics, techniques, and procedures (TTPs), and may reveal critical information like crypto wallet addresses that you can forward to law enforcement for further follow-up. The trick with this part of the process is to avoid the pitfalls associated with threat actors. At the end of the day, we are dealing with criminals, which raises concerns related to the validity of any claims and the question of whether they will honor their part of the bargain. As a team of seasoned threat actor communications experts, we can leverage our experiences to provide additional context and assess the likelihood of truthfulness to threat actors’ claims so that you can make the most informed decisions possible.
Additional Considerations to Incorporate into the Decision-Making Process
No two organizations are the same, and even within a single (unlucky) organization, no two ransomware attacks may be the same. There is a lot of value that can be derived from engaging with a threat actor, but we also need to evaluate some additional considerations before we make the explicit decision to start the communications process. In most cases, a discussion with legal counsel, business leadership, and threat actor communications experts will be the most effective means of making a final determination of when and how to engage a threat actor. Nonetheless, here are some additional considerations to take into account during the decision-making process.
Impacts to Infrastructure and Business Processes
During the initial stages of ransomware response, IT and cybersecurity staff are going to be evaluating the impact of the attack. During this process, the business will begin to understand the attack’s impacts on infrastructure and business processes. If only a few non-essential systems were affected and you were able to quarantine the threat without significant impacts, engaging with the TA may not be at the top of the priority list, but we shouldn’t eliminate the possibility that communications may still add value in the future. In this case, the focus should be placed on the incident response effort; however, it is still important to discuss a TA communications strategy in the event that the investigation takes an unexpected turn and communications need to be enacted quickly.
Evaluation of Data at Risk (Exfiltrated Data)
One of the most critical components to evaluate during a ransomware attack is data at risk, or exfiltrated data. Most ransomware groups, and especially Ransomware as a Service (RaaS) groups, pursue data exfiltration as a part of their “double extortion” methodology. This means that, in most cases, there will be some data taken from the environment as a result of a ransomware attack. The most important consideration at this point is determining the criticality and sensitivity of the data likely obtained by the threat actor. In most cases, this is going to be a joint effort between IT, business leaders, and legal counsel. In some cases, it may be determined that the criticality and sensitivity of known data exfiltrated may be low, but we don’t always have a full picture of what the threat actor accomplished within the environment until it may be too late. This is another reason that threat actor communications experts don’t recommend closing the door on communicating with the threat actor entirely. Seasoned threat actor communications experts know that a ransomware investigation can turn on a dime. They plan for the uncertainty associated with data exfiltration and ensure that, if needed, they can rapidly engage the threat actor and begin deriving necessary intelligence regarding data at risk.
Establish Break Contact Criteria
Knowing when to break contact with a threat actor is just as important as knowing when to engage the threat actor. The threat actor communications strategy is dynamic and evolves based on the inputs and responses from the threat actor. Threat actor communications experts leverage their experiences and knowledge of the threat actor to assist with developing communications criteria; however, legal counsel, insurance personnel, and business stakeholders will also have critical input here. As the goals of the threat actor communications strategy are accomplished, this may be a good time to evaluate breaking contact with the threat actor. Additionally, in rare circumstances, threat actors can be unpredictable or respond in ways that are uncharacteristic based on past experiences. If the threat actor becomes erratic or behaves in ways that might pose additional risks for the organization during the response effort, it may be advantageous to break contact to prevent further hostile reactions or escalations. Regardless of the criteria used, establishing thresholds for when to break contact with the threat actor will benefit the threat actor communications team and ensure risk is being mitigated and managed effectively.
The Availability of Public Decryptors
In the last few years, there have been multiple decryptors released for popular ransomware groups that significantly lower the impact of encryption-based attacks. The leaks of several major ransomware groups’ tools have boosted defenders’ capabilities and made it easier to decrypt ransomware that relies on similar methods. If you know that you’ve been hit by a group for which a public universal decryptor exists, this gives your threat actor communications team leverage to gain additional intelligence or concessions from the threat actor. Having the universal decryptor will speed up recovery efforts independent of settlement with a TA and get business operations online sooner, but the risk of data exfiltration remains a major consideration.
OFAC Sanctions and Other Regulatory Requirements
In limited circumstances, threat actor communications may not be possible based on OFAC sanctions or other regulatory requirements. There may also be other legal considerations at play that your legal counsel will make explicit during the process as well. Having a threat actor communications team will provide critical context for these situations and ensure, in conjunction with legal counsel, that your organization is abiding by all regulations and current sanctions pertaining to ransomware groups.
The Threat Actor Communications Process
In the event that you find yourself in a ransomware incident, the process of engaging in threat actor communications should be well-defined and rehearsed (tabletop exercises are great for this) so that you can follow it instinctively. Properly engaging a TA starts from the moment the ransomware attack is realized and ends when the strategic goals of the TA communication plan have been achieved.
One important factor to consider immediately is to not engage the TA in any way until you’re sure you’re ready to. In most cases, this is going to be when you have engaged your threat actor communications team and legal counsel and have had a chance to confirm your communications strategy. While the urge to navigate to the URL in the ransom note will be strong, it’s important to conduct a risk assessment and engage the right teams before you click any links or send any messages. Most TAs typically have notifications set up to alert them when their chat infrastructure is accessed, and as soon as you access or send the first message, your clock will start ticking.
Phase One: Preparation and Initial Strategy Development
Once your threat actor communications team is engaged, you immediately need to gain an understanding of impacts to infrastructure and business processes, the status of the response effort, and recoverability. From there, you will start developing–or confirm–your TA communications strategy. This process is commonly going to be conducted in conjunction with legal counsel, cyber insurance personnel, and critical business decision-makers. Remember, the goal of the threat actor communications strategy is to provide additional time and intelligence needed to fully assess an incident’s risk to the business, to start working on recovering your data, and to prepare your legal and PR teams so they can begin working on their response.
The threat actor communications will work with all teams relevant to the ransomware response effort to make a determination of when to engage the threat actor.
Phase Two: Executing and Adapting the threat actor communications Plan
This phase of the threat actor communications engagement is the most dynamic. The threat actor communications team has engaged the threat actor by leveraging the strategy that was decided upon during phase one. The initial messages from the threat actor are going to confirm certain details from the threat actor, including:
- Initial ransom demand
- A listing of likely exfiltrated data
- Proof of exfiltration
- Proof of decryption capability
Most threat actors are so well versed in these initial messages that they often provide much of these details very early in the conversation in an attempt to speed up the process and get to the negotiations phase of communications.
After these initial messages are completed, the communications process becomes highly fluid and often necessitates adapting the strategy on the fly with input from the threat actor communications team, legal counsel, and business stakeholders. This is where having threat actor communications experts adds a tremendous amount of value. We are able to leverage our experiences across many threat groups and different communication engagements to continuously evaluate risk, provide critical context, and adapt the strategy to accomplish the goals of the organization.
Each TA is a little bit different in how they conduct their communications. The TA may have their own infrastructure for real-time chat, which will need to be monitored continuously for new communications. Alternatively, they may communicate through chat applications like Tox, Telegram or Signal, which may require your threat actor communications team to set up new accounts on your organization’s behalf. And finally, there’s the old tried and true email, which some less mature TA groups still use to conduct their business. Whether the TA is using one or all of these methods, your threat actor communications team will be engaged at all times so that no wires get crossed in the process.
As the communications phase continues, the threat actor communications team will provide real-time updates and establish a feedback loop that keeps all parties up to date with developments and allows relevant teams and stakeholders to have input and influence the strategy as needed.
Phase Three: Concluding Communications, Mitigation, and Recovery
The final phase of the threat actor communications process is determined by the agreed-upon goals laid out in the threat actor communications strategy and is dependent on the preceding phases of the engagement. Most threat actor communications engagements end in one of two ways:
- The threat actor communications team breaks contact after no further value or intelligence can be derived from communications
- A payment has been made to the threat actor to prevent data leakage and/or to receive a decryption key
In the first scenario, the threat actor communications team, in conjunction with key business stakeholders, legal counsel, insurance, and the incident response team, will use the previously decided upon break contact criteria developed during the initial phases of the threat actor communications engagement. In most cases, the strategic goals have been accomplished, the incident response investigation is well underway or completed, and recovery and remediation are being heavily pursued. Additionally, business, legal counsel, and public relations teams have prepared for the likely publishing of the organization’s likeness and data to the ransomware group’s leak site. Finally, in some circumstances, threat actors will attempt to continue extorting victims through denial-of-service attacks or by using additional threats. At this stage of the engagement, additional measures should be in place to mitigate risks associated with any follow on actions by the threat actor.
If your organization decided to pay the ransom, you’ll likely receive your decryption key within a few hours, and you won’t be posted on any data leak sites. It’s also unlikely that your data will be publicly posted by the TA because, although we are dealing with cyber criminals, it would negatively impact the TA’s brand. A reputation for posting even after receiving payment would result in reluctance from future victims to pay ransoms, decreasing the group’s profitability and viability in the long term. While this profit motive reduces the likelihood of public posting of data, there is no guarantee that the TA won’t sell your information on the dark web or provide a decryptor that does not work well. The likelihood of issues varies from group to group, but in many cases, the threat actors are willing to provide support, if needed, and honor the agreement that was made. If your organization was already posted to the data leak site prior to paying the ransom demand, in most cases, you will be removed from the site as soon as the threat actor has confirmed payment.
As the threat actor communications engagement comes to a close, the threat actor communications team will ensure that all information is communicated to all relevant parties and that there are no lingering risks from the threat actor, including monitoring the leak site for a period of time to ensure no data is subsequently released.
The Path Forward: Having a Plan for Threat Actor Communications
When your organization falls victim to ransomware, there’s no one-size-fits-all approach to handling the incident. What’s most important is that you have an incident response plan in place and ready to go, and it should include steps for evaluating and engaging in threat actor communications.
Paying a ransom to threat actors is a business decision that some organizations pursue, but that discussion is outside of the scope of this blog. Every case is highly unique and independent and needs to be evaluated individually. Engaging a professional threat actor communications team will help you understand the risks and benefits of all options and guide you to the right conclusion for your organization. Engaging with a threat actor, in most cases, adds tremendous value and enhances the response and recovery effort.
If you find yourself the victim of a ransomware incident, the GuidePoint Research and Intelligence Team (GRIT) is ready to engage and take on the task of threat actor communications for your organization.
Drew Schmitt
Practice Lead, GRIT,
GuidePoint Security
Drew Schmitt is the Practice Lead for the GuidePoint Research and Intelligence Team (GRIT), where he engages in malware reverse engineering, threat intelligence development, and incident response investigations on behalf of the firm’s clients. His career background includes cybersecurity operations for several clients over various verticals.
Drew joined the GuidePoint team from Palo Alto Networks/The Crypsis Group where he was a Senior DFIR Consultant and a member of the Threat Intelligence team and specialized in malware analysis, threat hunting, and DFIR investigations. Prior to that, Drew spent time working as an incident responder, SOC analyst, and IT administrator across several industries including healthcare and manufacturing.
In addition to various roles in the security community Drew has experience as an adjunct professor teaching cybersecurity courses at Metropolitan State University in St. Paul, MN, acting as a mentor for the Metro State CCDC team, and has created an PowerShell based open source incident response framework called Power-Response.
Drew holds a Master of Science degree in Security Technologies from the University of Minnesota, a Graduate Certificate in Incident Response from the SANS Technology Institute, and has obtained a several GIAC certifications.