Pressure is mounting on Instructure, the company behind Canvas, as cybercriminals threaten to leak a trove of sensitive data they claim was stolen during a prolonged cyberattack on the widely used education tech platform.

Widespread outages left schools, students and teachers temporarily unable to access critical data late last week after the company took Canvas offline following additional malicious activity, including a defacement of the platform’s login page. By Friday, the company said Canvas — a central hub for K-12 and university coursework, exams, grades and communication — was back online and fully operational. 

ShinyHunters, a decentralized crew of prolific cybercriminals affiliated with The Com, claimed responsibility for the attack on its data leak site and is attempting to extort the company for an unknown ransom amount. Instructure hasn’t confirmed the existence of a ransom demand and declined to answer questions about its response.

The threat group initially set a deadline of May 6 — four days after Instructure previously said the incident was contained soon after it disclosed the attack — claiming it stole 3.65 terabytes of data spanning 275 million records across 8,809 school systems. 

When that deadline passed without payment, ShinyHunters escalated its pressure on the company by “injecting an extortion message directly into the Canvas login pages of roughly 330 institutions, and pivoted to school-by-school extortion with a current deadline of May 12,” Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told CyberScoop.

“The scope makes this one of the largest single education-sector exposures we’ve tracked,” she added.

The additional public pressure prompted Infrastructure to take Canvas offline, disrupting schoolwork and access to critical systems nationwide. 

Instructure CEO Steve Daly apologized over the weekend for the company’s inconsistent communication and deficient public response to the cyberattack. 

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” he said in a statement.

Daly acknowledged that the attack, which remains under investigation aided by CrowdStrike, exposed usernames, email addresses, course names, enrollment information and messages. He insisted that course content, submissions and credentials were not compromised.

The temporary but widespread disruption caused has spurred broad concern across the education sector as ransomware experts and threat hunters continue to track developments. The cyberattack also caught the attention of lawmakers on Capitol Hill. 

The House Homeland Security Committee on Monday published a letter to Daly seeking a briefing with him or a senior leader at Instructure by May 21. 

“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” House Homeland Security Chairman Andrew Garbarino, R-N.Y., wrote in the letter to Daly.

The committee wants to learn more about the “circumstances of both intrusions, the the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency,” he added. 

CISA did not describe the extent of its involvement in Instructure’s response. “CISA is aware of a potential cyber incident affecting Canvas. As the nation’s cyber defense agency, we provide voluntary support and cybersecurity services to organizations in responding to and recovering from incidents,” Chris Butera, the agency’s acting executive assistant director for cybersecurity, said in a statement.

Instructure’s timeline of the attack has changed and remains incomplete. The company said it first detected unauthorized activity in Canvas on April 29 and immediately revoked the attacker’s access and initiated an incident response. Researchers not directly involved with the formal investigation said ShinyHunters gained access to Canvas at least a few days earlier.

The follow-on malicious activity on May 7 — the defacement of public login pages — was tied to the same incident, the company said. 

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” the company said in an updated post about the incident.

Instructure did not answer questions about the vulnerability or explain how attackers intruded its systems. The company said it also revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.

Canvas is fully operational and safe to use, the company said, adding that CrowdStrike has reviewed known indicators of compromise and “found no evidence that the threat actor currently has access to the platform.”

Access still remains spotty and unavailable for some Canvas users as school districts restore the platform in phases after conducting their own internal checks.

Halcyon published an alert about the attack Friday, including a screenshot of the message that some school staff, guardians and students encountered before Instructure took the learning management system offline.

ShinyHunters threatened Instructure and all affected schools to contact the threat group and reach a resolution by end of day Tuesday. The cybercrime group, which has a “known pattern of removing victim entries once communications and negotiations have started,” removed Instructure from its data leak site after it defaced the Canvas login pages, Halcyon said. 

ShinyHunters is a notorious data theft extortion group that previously hit major cloud platforms, including Salesforce and Snowflake, via voice phishing, credential theft and supply-chain attacks. 

“Historically, their claims of compromise typically hold up, but they often exaggerate the impact, scale, and type of data stolen,” Kaiser said.

Education is a recurring and consistent target for cybercriminals. Researchers at Halcyon tracked more than 250 ransomware attacks on education institutions globally last year. Yet, the attack on Canvas stands apart from most of these attacks because of its widespread use and downstream impact.

“This is student, parent, and staff data, including minors, which creates downstream phishing and impersonation risk that will outlast the immediate incident,” Kaiser said. 

“By compromising a shared platform used across thousands of schools, ShinyHunters hit the entire education sector in one move, which is the same playbook Clop ran against Oracle EBS customers last fall,” she added. “Among 2026 incidents against critical infrastructure, this is at or near the top for education-sector impact, and it highlights a trend of third-party software vendors now being part of an attack surface, and causing cascading effects across an entire sector.”

Cybersecurity professionals focused on ransomware and data theft extortion consistently encourage victims to not pay ransoms, but they also often acknowledge that companies have to make tough decisions based on their own interests and the security of their customers or users caught up in the aftermath.

Allison Nixon, chief research officer at Unit 221B, said the threat group claiming responsibility for the attack should not be trusted. 

“They are claiming they will delete the data after they are paid, and if they are not paid that they will leak the data,” she told CyberScoop. “This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past.”

Instructure hasn’t indicated what it plans to do as part of any effort to prevent the leak of stolen data. 

Daly — a longtime security executive who was previously CEO at Ivanti — ended his mea culpa with a pledge to improve communications and provide a summary of a forensics report soon.

“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward,” he said. 

“Rebuilding trust takes time,” Daly added. “We’re going to earn it back through consistent action and honest communication.”

The post Pressure mounts on Canvas as data leak extortion deadline looms appeared first on CyberScoop.

Ransomware groups crop up like weeds, angling for striking positions in a crowded field rife with turnover, infighting and unbridled competition. Yet, they rarely emerge, as 0APT did late last month, claiming roughly 200 victims out of the gate.

Researchers have thus far seen no evidence confirming 0APT attacked any of its alleged victims, which includes high-profile organizations. Alleged victim data samples and the structure and size of placeholder file trees published by 0APT place further doubt on the group’s supposed criminal escapades. 

Most signs suggest the group is running a massive hoax, but at least some of the threat 0APT poses is grounded in truth. The group’s inflated pretense may be a ruse to create a sense of momentum, gain recognition and attract affiliates.

“While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware,” Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, told CyberScoop.

0APT’s infrastructure is sound, including cryptographically strong and fully operational ransomware binaries, unique code and a well organized panel for affiliates, she said. “Even if researchers assess most claimed victims as fabricated, the underlying ransomware payload represents genuine risk to any organization that encounters it.”

The group’s outlandish claims accentuates the messy state of ransomware, with researcher interest and widespread fear among potential victims — perceived or real — delivering benefits for criminal syndicates that compete for mindshare and co-conspirators. 

0APT’s apparent swift rise with a massive alleged victim count that hovered around 200 organizations within its first week online caught the attention of multiple ransomware research firms, resulting in reports this week by Halcyon and GuidePoint Security.

Researchers roundly consider the group’s initial claims an act of deception. This pattern of claiming a high number of victims without substantiating evidence surfaced last year with other ransomware groups, including Babuk2 and FunkSec, which eventually disclosed confirmed victims.

“After those initial fake lists, we started to see legitimate victims as the gangs attracted affiliates and matured into fully functioning ransomware-as-a-service organizations,” Kaiser said.

GuidePoint researchers acknowledge 0APT could evolve into a genuine problem, but they are more dismissive of the group’s capabilities. 

Justin Timothy, principal threat intelligence consultant at GuidePoint, said 0APT’s encryptor isn’t unique or noteworthy amongst its ransomware peers.

“The ransomware encryptor is only one piece of the attack kill chain,” he said. “Threat actors still need to be able to obtain initial access, escalate privilege, and move laterally all while evading detection and endpoint detection and response. These aspects can often take more skill and technical knowledge compared to the creation of encryption malware.”

While 0APT might be running a scam, it doesn’t appear to be a fly-by-night operation. 

The group’s alleged victims are opportunistic and predominantly operate in critical infrastructure and data-rich sectors, according to Halcyon. Most of the claimed victims are based in the United States, and the top sectors targeted include health care, professional services, technology, transportation and logistics, energy and manufacturing. 

0APT has been consistently adding and removing alleged victims from its data-leak site, which went offline briefly before returning earlier this week with a much lower victim count.

“The group’s early claims appear to focus more on gaining visibility and momentum, believing those will recruit affiliates faster than validity,” Kaiser said.

Attracting affiliates and attention for future operations could be driving some of 0APT’s behavior, but cybercriminals frequently deride such activities once the extent of their lies becomes widely known, said Jason Baker, managing security consultant of threat intelligence at GuidePoint.

“That strategy was almost certainly shortsighted and undermined by 0APTs fabrications, which render them an unattractive partner or destination for affiliates going forward,” Baker said. “After all, if they’re willing to lie this brazenly about their victims and capabilities, why wouldn’t they lie to their affiliates as well?”

The make-up of 0APT remains unknown, with no obvious lineage or overlap with other ransomware variants, but the group is financially motivated and very aggressive in communications, Kaiser said. 

“While the operators appear to not be novices, we have no evidence of who is running the group or its exact origins,” she added.

Halcyon, which is developing technical analysis on the group, insists 0APT poses a genuine threat that will eventually ensnare legitimate victims. 

“Given the fact that they are attracting attention and operating a capable encryptor, we see the potential as high that real victims may soon appear,” Kaiser said. A focused rebrand, such as removing all the fake victims and starting to list real victims, even only a few, will be a strong signal that the group has evolved into a serious operation.”

The post 0APT ransomware group rises swiftly with bluster, along with genuine threat of attack appeared first on CyberScoop.

Threat hunters and researchers are racing to contain a wave of voice-phishing attacks targeting single sign-on tools, already leading to data theft and extortion attempts. Multiple cybercrime groups are combining voice calls and advanced phishing kits to trick victims into handing over access — including a group identifying itself as ShinyHunters, which has publicly named alleged targets and posted samples of stolen data.

The attacks share common characteristics with previous campaigns attributed to ShinyHunters, which has abused third-party vendors to gain initial access to multiple company networks, including the attack spree that impacted more than 700 Salesforce customer environments last fall.

“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved voice phishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim multifactor authentication solutions,” Charles Carmakal, chief technology officer at Mandiant Consulting, said in an email to CyberScoop.

“This is an active and ongoing campaign,” Carmakal added. “After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand.”

Cybercriminals are registering custom domains that mimic legitimate single sign-on portals used by targeted companies, then deploying tailored voice-phishing kits to call victims while remotely controlling which pages appear in the victim’s browser. This lets the attackers sync their spoken prompts with multifactor-authentication requests in real time, increasing the likelihood the victim approves or enters the needed codes on cue.

Okta, one of the single sign-on providers targeted by this campaign, released threat intelligence on phishing kits observed in this campaign and others Thursday. Attackers appearing to be aligned with ShinyHunters have attempted to extort targeted organizations on behalf of a specific initial access broker that used one of these phishing kits.

Brett Winterford, vice president at Okta Threat Intelligence, said researchers have observed at least two phishing kits that demonstrate the real-time capability to mimic the authentication flows of identity providers. 

“This creates a more compelling pretext for asking the user to share credentials and accept multifactor authentication challenges,” he told CyberScoop.

“Okta Threat Intelligence has observed multiple phishing kits developed for the needs of voice phishing operators, each with dedicated panels for impersonation of Google, Microsoft and Okta sign-in flows, as well as cryptocurrency providers,” Winterford added.

A spokesperson for Microsoft said the company has nothing to share on the campaign. Meanwhile, a Google spokesperson said: “At this time, we have no indication that Google itself or its products are affected by this campaign.”

Security experts noted the attacks don’t involve a vulnerability in single sign-on vendors’ products or infrastructure, but rather a persistent weak point in identity and access management. Targeted victims are once again being duped into sharing their credentials with attackers.

These phishing kits allow cybercriminals without deep technical skills to buy the tooling and focus on targeting people and processes, said Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center. 

“While these campaigns occur often, the difference here is the amount of success in the recent campaign is slightly higher. That’s likely because of the believable content and the use of voice phishing versus just phishing,” she said.

“If you’re getting a call and it’s personalized and it’s changing in real time — that feels believable, that’s a different element that people don’t necessarily have their guard up for.”

Investigation ongoing into scope

It’s unclear how many organizations have been impacted by the campaign. A ShinyHunters-branded data leak site, which is currently down, previously listed at least three victims, including two companies that publicly confirmed they were impacted by recent attacks.

SoundCloud said some personally identifiable data on about 20% of its user base, roughly 36 million people, was compromised by an attack it first discovered in mid-December. The company insists sensitive data wasn’t exposed and did not name the attackers, but said users, employees and partners have been flooded with threatening emails. 

“We are aware that a threat actor group has published data online allegedly taken from our organization,” Sade Ayodele, senior director of communications at SoundCloud, said in an email. “Our security team — supported by leading third-party cybersecurity experts — is actively reviewing the claim and published data.”

Betterment, a financial services company, said an attacker gained access to some of its systems via social engineering on Jan. 9. The company said customer data was stolen, but no accounts were accessed and customer credentials weren’t compromised.

The attacker also quickly used access to Betterment’s systems to send a fraudulent cryptocurrency offer to some customers. Betterment did not respond to a request for comment.

Threat intelligence suggests additional victims have been targeted and potentially impacted. Sophos researchers are tracking a cluster of about 150 malicious domains established starting last month, including some used in voice phishing campaigns resulting in data theft and ransom notes demanding a payment, said Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit.

“We can’t confirm that they have all been used but the threat actors are creating target-specific domains, themed to reflect single-sign on services and impersonating authentication providers like Okta,” Pilling said. The fake domains impersonate organizations in the education, real estate, energy, financial services and retail sectors.

While one of the groups behind this campaign identifies itself as ShinyHunters, researchers have yet to confirm that claim or formally attribute the attacks to a specific group or person. 

“ShinyHunters typically has a mix of real victims and recycled information or exaggerated claims,” Kaiser said. 

Moreover, the names adopted or reused by some cybercriminals has lost relevance, said Ian Gray, vice president of intelligence at Flashpoint. 

A cybercriminal or group can use any username they choose and apply that to a data-leak site, but that doesn’t prove a direct link. 

“While ShinyHunters have claimed credibility for the campaign,” Gray said, “it is equally important that we examine the tactics, techniques and procedures being employed and how they relate to previous campaigns.”

The post A new wave of ‘vishing’ attacks is breaking into SSO accounts in real time appeared first on CyberScoop.

Ransomware negotiation is a dark but widely acknowledged reality in the cybersecurity industry — one that many argue is a necessary practice, even if it largely occurs out of sight. Brokering payments and terms with cybercriminals who hold organizations’ data and operations hostage places security professionals in a fraught position that requires them to balance a responsibility to meet their clients’ needs without fueling the spread of financially-motivated crime.

The pitfalls of ransomware negotiation are excessive — pinning the goals of cybercrime against victims and incident response firms that typically face no good options. Negotiators are charged with ensuring their clients don’t break any laws by financially supporting sanctioned criminals, but they also have to consider the lines they won’t cross without betraying their moral compass.

These backchannel negotiations can go awry for various reasons. Many people involved in ransomware negotiation prefer to share very little about what transpires in these discussions, a decision that ensures the terms of ransomware payments remain largely unscrutinized. 

Yet, many security companies and professionals spoke to CyberScoop about the challenges and benefits of ransomware negotiation after two of their own became turncoats. The former incident responders, Ryan Clifford Goldberg and Kevin Tyler Martin, were moonlighting as ransomware operators and pleaded guilty last month to a series of ransomware attacks in 2023.

“There’s no structured community of practice, no peer review, and no recognized body to certify or hold negotiators accountable,” Jon DiMaggio, principal at XFIL Cyber, told CyberScoop. “It’s one of the few areas of cybersecurity with no real standards, an unregulated tradecraft that still operates like the Wild West.”

This uneven approach manifests across the landscape, particularly among the top incident response firms, which have varying levels of comfort with ransomware negotiations. CrowdStrike and Mandiant draw a firm line, refraining from providing ransomware negotiation services to clients. 

If a client is considering paying a ransomware group, Mandiant will explain the options and let the client decide. The Google-owned company will also share what it knows about the group’s reputation for honoring terms and provide a list of third-party vendors that specialize in ransomware negotiation.

Adam Meyers, head of counter adversary operations at CrowdStrike, is firmly in the don’t-pay-ransoms camp. But he, too, recognizes it’s not always that simple. 

“No good comes from paying them,” but sometimes in extreme cases when the choice is between a business’s downfall or potentially putting the people you serve at risk of significant harm, victims don’t have a choice but to pay the ransom, Meyers said.

Palo Alto Networks Unit 42 takes things to the finish line, but stops before payment. “The boundary for us is we don’t perform ransomware payments. That’s actually an intentional decision on our end to separate those out,” Steve Elovitz, vice president of consulting at Unit 42, told CyberScoop.

“We will perform negotiations when requested by our clients, but we will not perform the payments,” he added. “There’s the complexity side of it, but there’s also just the moral side of it — not wanting to be involved, really, in the transaction itself.”

The red lines in ransomware response — viewing stolen or illegal data on dark web forums, collecting that information, engaging with cybercriminals, negotiating and, ultimately, submitting payment — can push those involved beyond their comfort zones, said Sean Nikkel, lead cyber intelligence analyst at Bitdefender.

Lack of transparency engenders isolation

These self-imposed limits highlight how secretive ransomware negotiations tend to be, which creates a vacuum in which criminals thrive, DiMaggio said. 

“The lack of transparency isolates everyone,” he said. “Victims don’t know what’s normal or fair, law enforcement is often left guessing, and the criminals use that silence to control the narrative and drive up their prices.”

Nikkel asserts some secrecy is necessary, yet ransomware negotiators are “operating without a license and it kind of freaks me out a little bit,” he said.

Professional certifications exist for many lines of intelligence work, but there’s nothing for ransomware negotiation, he added.

DiMaggio, who has infiltrated ransomware groups to investigate their operations, dox their leaders and chronicle stories that would otherwise go untold, said victim organizations constantly make the same mistakes because lessons from these attacks are rarely shared. 

“Until the industry finds a responsible way to collect and analyze anonymized negotiation data, we’ll keep fighting each case in the dark,” he said. “Transparency isn’t about shaming victims — it’s about denying criminals the advantage of secrecy.”

Open sharing of ransomware negotiations is a non-starter for many important reasons, experts said. These communications contain privileged information that could tip attackers off to counterstrategies or empower them with information they can use as leverage to further compromise victims. 

“It would be difficult to do that in a way that doesn’t compromise the practice,” said Kurtis Minder, the co-founder and former CEO of GroupSense who published a book in July about his experiences as a ransomware negotiator.

Cynthia Kaiser, who joined Halcyon’s ransomware research center as senior vice president after 20 years with the FBI, shares that view. 

“You don’t want to do anything that re-victimizes the victim,” she said. “If that information goes out, that should be their choice.”

The “darkness” about negotiations doesn’t merit the same emphasis as the need to better understand “how insidious and gross all these ransomware attacks are, and who they’re attacking,” Kaiser added. 

“That’s the only way we can really grapple with the actual extent of the threat, and that’s not happening right now,” she said. “That information doesn’t get out there enough.”

Key negotiation skills and considerations

Minder got pulled into his first ransomware negotiation in 2019 by accident and against his best intentions. “Somewhat reluctantly, I agreed to do more and then it sort of snowballed on us,” he said. “We didn’t really want to do this.”

Since then, Minder has been involved in hundreds of ransomware negotiations for major companies and small businesses who he volunteered to help in his personal time. 

There is no litmus test for what makes a good negotiator, but soft skills and emotional intelligence are critical, he said. 

“Empathy is one of the most important things,” Minder added. “Not sympathy — empathy — being able to effectively put yourself in the bad guys’ shoes is super powerful.”

As ransomware attacks have grown, so too has the mixed motivations of attackers attempting to extort victims for payment. 

Attacker volatility has increased in the past four years and complicated the considerations negotiators must heed in their response, said Lizzie Cookson, senior director of incident response at Coveware by Veeam. 

Some attackers are “eager to get paid, but they’re also in it for the notoriety, for the bragging rights, for the media attention,” said Cookson, who’s worked as ransomware negotiator for more than a decade. “That’s where we start to encounter more concerning behavior — more hostility, threat actors threatening violence, making threats against people’s family members.”

These cases, which occur much more often now, are more likely to result in broken promises — data leaks after a ransom was paid to avoid such an outcome or follow-on extortion demands, she said.

Indeed, cybercriminals consistently pull new threads to amplify the pressure they place on victims. This includes elements of physical extortion wherein ransomware groups call and threaten executives, claiming they know where the executives’ kids go to school, where they live and how they get to work, said Flashpoint CEO Josh Lefkowitz.

These threats put business leaders in precarious, unexpected positions that challenge their preconceived notions about how they’d respond to a cyberattack, Lefkowitz said. 

Ransomware negotiation requires practitioners to navigate between doing what’s necessary and what’s right, DiMaggio said. “The key is to treat every negotiation as a crisis with human consequences, not just a transaction.”

Negotiators reflect on previous cases

Ransomware negotiators tend to run through common checklists based on patterns they’ve experienced, but each incident is unique and requires some level of improvisation. 

Matt Dowling, senior director of digital forensic and incident response at Surefire Cyber, said ransomware operators, on the whole, are more trustworthy now than when he first got involved in negotiations in 2019. The practice, he said, has also improved because threat intelligence is more useful, making negotiations a data- driven effort.

Dowling separates ransomware operators into two groups: named and unnamed. Named groups are more trustworthy because they have a reputation to uphold, while unnamed groups are more likely to re-extort victims and deviate from the standards of ransomware negotiation, such as not providing proof of their claims.

Still, he said, most payments result in positive outcomes for the victims. The lowest payment Dowling has facilitated came in around $6,000, and the largest was about $8 million, he said. 

Some negotiations end abruptly without further incident. These cases typically involve charities or non-profits, according to Minder.

One case he worked on involved a charity that provided free screenings for breast cancer. In that incident, he simply asked the attackers: “Why are you doing this? These people don’t have any extra money.”

The attackers walked away after the organization agreed to pay a $5,000 ransom to cover what the ransomware group claimed amounted to costs it incurred to conduct the attack — a significant discount from their initial demand of $2 million.

When cases involving data extortion come to a close, negotiators will ask for proof the data was deleted, which is impossible to confirm. Some attackers, who are especially proud of their work will provide detailed reports about how they gained access — information that helps the victim and incident responders understand how and what occurred. 

Experts said the number of people involved in ransomware negotiations can be quite large when lawyers, insurance providers and law enforcement is involved. The duration of these back-and-forth compromises can last for a couple hours or up to three months.

Tactics define process for negotiation

Negotiators also employ generally similar strategies to achieve their client’s objectives at the lowest possible payment.

Threat intelligence on ransomware groups can guide negotiators toward a more gentle or aggressive approach, but in all cases “the threat actor, at the outset, has all the leverage,” Dowling said. 

“The leverage that you have is the threat actor wants to get paid. The only way they’re going to get paid is if you come to an agreement,” he added. 

Every ransomware negotiator CyberScoop spoke with remarked on the importance of delay. “Time is always our friend,” Cookson said. “Every day that passes after the initial incident is an opportunity for us to get more visibility so that they can make those decisions with a lot more confidence and make those decisions based on actual data, not based on fear and emotion.”

Initial outreach from negotiators working on behalf of a victim should be short and simple, allowing attackers to do most of the talking up front, Minder said. Negotiators should also avoid discussion of any financial numbers or positional bargaining as long as possible, he said.

Cursing or adopting combative language is a hard no-no for Minder as well. “There are ways to convey disappointment in the messages that aren’t fighting words,” he said. “They’re humans. They have egos, so you have to keep that in mind.”

Delay tactics are designed to get the attackers to question their own demand before the negotiator ever puts a number in writing, Minder said. 

Moreover, it’s not just about the money — ransomware operators are seeking validation, and a sense that they’re in control and winning, he said.

The worst outcomes involve victims that rush to make a payment, assuming that will make all the pain go away, Cookson said. 

Financial incentives present ethical challenges

Ransomware is a thriving criminal enterprise, amounting to a combined $2.1 billion in payments during the three-year period ending in December 2024 and about 3,000 total attacks in 2023 and 2024, according to the Treasury Department’s Financial Crimes Enforcement Network.

Businesses, of course, see opportunity in all of that activity and boutique firms have assembled teams to support victim organizations by engaging in ransomware negotiations on their behalf in the wake of attacks. 

This ancillary industry fosters additional ethical challenges, especially when there’s a built-in financial incentive for ransomware negotiations to occur and, in some cases, result in payments.

A general lack of transparency in billing puts the practices of some of these firms under heavier scrutiny. Some firms charge a flat fee or hourly rate, while others use a contingency model based on the percentage of the ransom reduction they’re able to achieve, DiMaggio said. 

“It’s not the norm across the industry, but it happens, and it introduces a clear conflict of interest,” he added. “When a negotiator’s income depends on the ransom outcome, it blurs the line between representing the victim and profiting from the crime.”

While some ransomware negotiation providers do, indeed, charge a small percentage off the ransom payment, victim organizations should avoid hiring any firm that employs that model, Elovitz said. 

“If you’re making a percentage of the payment, then at least there’s some financial incentive to not negotiate it down as far as you might otherwise,” he added. 

DiMaggio would like to see more clarity around how service providers set prices for ransomware negotiation. Absent that, he said, “the industry will keep living in a moral gray zone, one where good intentions can unintentionally sustain the very ecosystem we’re trying to dismantle.”

Rules of engagement don’t apply

Ransomware negotiation remains an ill-defined, largely unrestricted practice, absent any collective industrywide agreement on rules of engagement.

Any effort to define rules upon which the industry can coalesce could potentially pit competitors against one another, leaving room for those more willing to bend the norms an opportunity to win business by providing less scrupulous services.

Negotiators are effectively unfettered once they ensure they’re not breaking any laws by engaging with or sending money to sanctioned criminals.

Still, there’s an unmet need for checks and balances, oversight, transparency and a standardized set of rules for negotiators to follow without crossing any professional or personal lines. 

Part of the challenge with external oversight lies in the act of negotiation, an art that requires intermediaries to build limited trust with attackers spanning conversations that may not play well in the public sphere, Elovitz said. 

“Putting that under a microscope could inhibit the good guys more than the bad,” he said. Payments themselves, however, could benefit from more scrutiny, Elovitz added. 

Clarity in purpose should prevail above all of these factors. 

Protecting victims without empowering criminals is the first principle of ransomware negotiation, but that balance can’t be managed in the dark, DiMaggio said. 

“I’ve seen firsthand how the lack of oversight allows abuse from both sides of the table,” he said.

To prevent manipulation, DiMaggio called for a standardized framework, vetted negotiators, recorded and auditable communications and anonymized after-action reviews.

“Without accountability, the victims end up paying twice,” he said. “Once to the criminals, and again to the people who claim to save them.”

The scars from years spent as a ransomware negotiator brought Minder back to where his intuition was before he ever got involved. “I don’t believe this should be a business. I say that having been paid to do this,” he said. 

“It’s almost like a parasitic industry,” Minder said. “You’re profiting from victims.”

The post The thin line between saving a company and funding a crime appeared first on CyberScoop.

GlobalLogic, a digital engineering and product design company, said it was impacted by a widespread data theft and extortion campaign linked to a zero-day vulnerability in Oracle E-Business Suite.

The company, which was acquired by Hitachi in 2021 and has a current customer base of nearly 600 clients, filed data breach notifications with authorities in California and Maine on Friday. GlobalLogic said the attack exposed human resources data on nearly 10,500 current and former employees. 

GlobalLogic is among many Oracle customers targeted by attackers aligned with the Clop ransomware group, which exploited a zero-day vulnerability affecting the enterprise platform to steal massive amounts of data as far back as July. John Hultquist, chief analyst at Google Threat Intelligence Group, previously told CyberScoop dozens of organizations were impacted. 

GlobalLogic said it discovered the data breach Oct. 9 and, upon investigation, determined the initial breach occurred July 10. The most recent malicious activity occurred Aug. 20, the company said.

“This incident did not target or impact GlobalLogic’s systems outside our Oracle platform, and, based on industry reports, we are one of many Oracle customers believed to be impacted,” the company said in the notification letter sent to people impacted. GlobalLogic did not immediately respond to a request for comment.

Data exposed by the attack includes names, addresses, phone numbers, emergency contact information, email addresses, dates of birth, nationality, passport information, internal employee numbers, tax identifiers such as Social Security numbers, salary information, bank account details and routing numbers, according to GlobalData.

Upon discovering it was impacted, GlobalLogic said it immediately activated incident response procedures, notified law enforcement and engaged with third-party firms to assist with an investigation. “We also promptly applied software patches upon their release from Oracle to address the vulnerability,” the company said. 

Oracle disclosed and issued a patch for the zero-day vulnerability —  CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Oct. 4, and previously said it was aware some customers had received extortion emails. 

The zero-day wasn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims, according to Mandiant Consulting CTO Charles Carmakal. 

The significant lag time between when the attacks occurred and Oracle’s disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment. 

Clop’s ransom demands reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop last month.

Clop’s data-leak site included almost 30 alleged victims as of last week. The notorious ransomware group has threatened to leak alleged victims’ data unless it receives payment. 

One of those named victims, Envoy Air, a subsidiary of American Airlines, confirmed it was impacted by the attack spree. 

“We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised,” a spokesperson for Envoy Air said in a statement. 

GlobalLogic said it implemented Oracle’s recommended mitigation steps in the wake of the attack and took additional steps to improve its security.

The post Hitachi subsidiary GlobalLogic impacted by Clop’s attack spree on Oracle customers appeared first on CyberScoop.