A federal judge sentenced a Latvian national to 102 months in prison for his involvement in a series of ransomware attacks for more than two years prior to his arrest in 2023, the Justice Department said Monday.

Deniss Zolotarjovs, a resident of Moscow at the time, helped an organization led by former leaders of the Conti ransomware group extort payments from more than 54 companies. 

The 35-year-old was mostly tasked with putting pressure on the crew’s victims. In one case, Zolotarjovs urged co-conspirators to leak or sell children’s health records stolen from a pediatric healthcare company and ultimately sent a collection of sensitive data to “hundreds of patients,” according to court records. 

The ransomware crew identified itself in ransom notes under multiple names during Zolotarjovs’ involvement, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, Akira and others. 

Zolotarjov and his co-conspirators extorted nearly $16 million in confirmed ransom payments from their victims. Officials estimate the group’s crimes resulted in hundreds of millions of dollars in losses, not including the psychological and future financial exposure confronting tens of thousands of people whose personal data was stolen.

“Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline,” A. Tysen Duva, assistant attorney general of the Justice Department’s Criminal Division, said in a statement. 

Officials said Zolotarjovs searched for points of leverage after researching victim companies and analyzing stolen data. Many of the victims impacted during his active participation between June 2021 and August 2023 were based in the United States.

Zolotarjov was arrested in the country of Georgia in December 2023 and extradited to the United States in August 2024. He pleaded guilty to money laundering and wire fraud in July 2025. 

“Cybercriminals might think they are invulnerable by hiding behind anonymizing tools and complex cryptocurrency patterns while they attack American victims from non-extradition countries,” Dominick S. Gerace II, U.S. attorney for the Southern District of Ohio, said in a statement. “But Zolotarjovs’s prosecution shows that federal law enforcement also has a global reach, and we will hold accountable bad actors like Zolotarjovs, who will now spend significant time in prison.”

The Russian ransomware crew was prolific and spread across multiple teams, relying on companies registered in Russia, Europe and the United States to conceal its operations. Authorities said the group included former Russian law enforcement officers whose connections allowed members to access Russian government databases to harass detractors and identify potential new recruits.

Conti was among the most prolific ransomware groups globally for a time, impacting hundreds of critical infrastructure providers, Costa Rica’s government in 2022, and ultimately leading the State Department to offer a $10 million reward for information related to Conti’s leaders. The group was notoriously resilient, bouncing back with new infrastructure and hitting new targets after a massive leak exposed chats between the group’s members in 2022.

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

The post Latvian national sentenced for ransomware attacks run by former Conti leaders appeared first on CyberScoop.

A pair of persistent and problematic threat groups affiliated with The Com are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.

The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims’ identity platforms and traverse SaaS environments since at least October 2025, the company said in a report Thursday, which it shared exclusively with CyberScoop prior to release. 

Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.

This “new wave of ecrime threat actors” are closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said. 

Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it’s difficult to determine how many victims have been caught up in these campaigns. 

CrowdStrike’s warning closely follows research Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider’s string of attacks targeting organizations in the retail and hospitality industry, among others. 

Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer’s legitimate single sign-on page or primary identity provider, researchers said. 

These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims’ entire SaaS ecosystems.

Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said. 

The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication. 

The domain for BlackFile, Cordial Spider’s data-leak site, was offline as of Wednesday, according to Meyers.

CrowdStrike declined to put a range on the groups’ extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.

Some victims that didn’t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations’ employees, Meyers said. 

CrowdStrike said Cordial and Snarky Spider also use residential proxy networks — including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS — to evade IP-based detection and blend in with typical traffic. 

Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

Cordial and Snarky Spider haven’t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said. 

“They’ve kind of taken their playbook and they’re using a lot of their techniques, but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,” he said. “It’s kind of the new generation of Scattered Spider.”

The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.

Researchers warn that BlackFile, an extortion group likely associated with The Com, continues to impersonate IT support in voice-phishing and social engineering attacks that have impacted organizations in multiple industries, including healthcare, technology, transportation, logistics, wholesale and retail.

Attackers have been actively targeting organizations in the retail and hospitality industry since February, according to Unit 42’s latest intelligence on the campaign, which the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) released alongside indicators of compromise Thursday.

The threat group, which is also tracked as CL-CRI-1116, UNC6671 and Cordial Spider, appears to be targeting victims opportunistically in a campaign that remains active and ongoing, Matt Brady, senior principal researcher at Palo Alto Networks’ Unit 42, told CyberScoop. 

“The core objective of these threat actors is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range,” Brady said.

Unit 42 declined to say how many organizations have been impacted thus far, and RH-ISAC did not respond to a request for comment.

BlackFile’s attacks against companies in the retail and hospitality sector are part of a broader wave of voice-phishing attacks initiated by multiple cybercrime groups, which Google Threat Intelligence Group and Okta warned about in January. 

Unit 42 also noted that BlackFile’s activities overlap with an ongoing data theft and extortion campaign CrowdStrike has been tracking as Cordial Spider since at least October 2025.

Yet, the threat group’s tactics have been far from cordial. RH-ISAC said some attackers have swatted company personnel, including executives, to increase leverage and pressure victims to pay their ransom demands. 

The threat group lures victims via voice-phishing attacks and phishing pages mimicking corporate single-sign on services to steal credentials before moving into privileged accounts. 

“They scrape internal employee directories to obtain contact lists for executives,” RH-ISAC wrote in a blog post. “By compromising these senior accounts via further social engineering, they gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity.”

The group’s unauthorized access and data theft for extortion activity spans SaaS environments, Microsoft Graph API permissions, Salesforce API access, internal repositories, SharePoint sites and datasets containing employee’s phone numbers and business records. 

BlackFile also created a data-leak site to extort victims that it claims ignored or failed to agree to its demands, according to researchers. 

Brady said Unit 42 has observed relatively consistent activity from the threat group since February. 

RH-ISAC advises organizations to manage multi-factor identity verification for callers and limit the IT support actions that can be completed in a single call without escalation to management.

The post BlackFile actively extorting data-theft victims in retail and hospitality sector appeared first on CyberScoop.

A South Florida man pleaded guilty to conspiring with multiple ransomware affiliates to commit attacks against and extort payments from the same U.S. companies he represented as a ransomware negotiator for DigitalMint in 2023, the Justice Department said Monday.

Angelo John Martino III shared confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates, according to his plea agreement.

Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides. DigitalMint, which is not accused of any knowledge or involvement in the crimes, fired Martino the day after the Justice Department informed the company they were investigating him in April 2025. 

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Prosecutors previously said Martino helped accomplices extort a combined $75.3 million in ransom payments, including a nearly $26.8 million payment from the unnamed nonprofit, and a nearly $25.7 million payment from the unnamed financial services company. 

Martino also admitted to conspiring with Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia, to deploy BlackCat ransomware, also known as ALPHV, against five additional U.S. companies between April and November 2023. 

Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.

“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” A. Tysen Duva, assistant attorney general at the Justice Department’s Criminal Division, said in a statement. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself.”

The case against Martino showcases an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons. 

Officials shared a series of chats Martino held with co-conspirators and his victims that exemplify the lengths he went to betray DigitalMint’s clients and empower his accomplices with crucial tips for a successful negotiation strategy.

DigitalMint did not respond to a request for comment on Martino’s guilty plea.

Negotiation chats exemplify Martino’s crimes

During an incident response with one of his victims, Martino told a BlackCat affiliate the company’s insurance carrier “was only approving small accounts,” according to his plea agreement. “Keep denying our offers and I will let you know once I find out the max the[y] want to pay,” he added.

“We don’t know how you came up with your demand but we are losing money operationally and all of our loans are going to turnover on us this year at double the interest rates,” Martino said in a negotiation chat visible to DigitalMint and the victim organization in the hospitality industry. “We are able to give you $1 million now, which is a very serious offer.”

Following Martino’s instructions, the BlackCat accomplice responded: “Well, you can keep that for the penalties and lawsuits which are coming your way in case we expose you. Time is ticking — we know how much you can pay. Contact your insurance. We know about them also. Stop wasting time.”

That victim company ultimately paid a ransom worth nearly $16.5 million at the time to receive a decryptor and the BlackCat affiliate’s commitment to not publish stolen data. The two other victims Martino represented via DigitalMint at the time paid $6.1 million and $213,000 ransoms for similar commitments.

“Ransomware victims turned to this defendant for help, and he sold them out from the inside,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement.

Martino received a portion of the ransomware payments for his involvement in the conspiracy.

Authorities have seized $10 million in assets and cryptocurrency wallets controlled by Martino. Law enforcement seized multiple vehicles, a food truck and a 29-foot luxury fishing boat that he obtained using proceeds from his crimes.

Officials also seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000. 

Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond.

“The FBI works every day to dismantle the ransomware ecosystem,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “That includes apprehending key facilitators like Angelo Martino, who abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals.”

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

Martino pleaded guilty to conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.

You can read Martino’s plea agreement below.

The post Former DigitalMint ransomware negotiator pleads guilty to extortion scheme appeared first on CyberScoop.

A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 

Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 

Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 

The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.

Victims included high net worth individuals and businesses in the entertainment, telecom, technology, business process outsourcing, IT, cloud and virtual currency sectors, officials said.

Buchanan and his co-conspirators were part of an aggressive subset of The Com coined Scattered Spider. While The Com and its offshoots don’t operate with formal leaders in the traditional sense, Buchanan played a crucial role in the operation, according to Allison Nixon, chief research officer at Unit 221B.

“[Buchanan] was the glue that held this gang together. His success at wiping out victims’ savings made him a target for both law enforcement and rival Com gangs,” Nixon told CyberScoop.

“[Buchanan] is part of an older generation that came from certain toxic gaming servers before the pandemic. People from this generation learned hacking in order to steal vanity usernames and bully kids before using it to steal peoples’ savings,” she added.

Federal authorities filed charges against five individuals with links to the Scattered Spider cybercrime outfit in 2024. Buchanan and Urban’s alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo and Joel Martin Evans — still face charges in the case, officials said. 

Nixon lauded law enforcement for acting decisively to arrest Buchanan during a brief window of opportunity while he was traveling internationally. 

“Com members are obsessed with private jets and foreign vacations, and the feds took that dream away with one arrest,” she said. 

The tactic, which U.S. officials also use against Russian cybercriminals, works because most countries are willing to support in the arrest of foreign criminals, thereby keeping them out of their respective jurisdictions, Nixon said. 

“As a foreigner, he was caught in a weaker legal position than if he was arrested at home, and cases following this tactic tend to have very long sentences,” she added. “The takeaway for Com members watching this case is that criminal foreigners associated with violence are the lowest class in every country. And that’s what Com members are when they travel.”

The Justice Department said Buchanan and his co-conspirators defrauded at least a dozen companies and their employees throughout the United States. A digital device police found at his residence in April 2023 contained personal data on numerous individuals and victim companies, according to his plea agreement.

It’s unclear what transpired between that search in April 2023 in Scotland and his June 2024 arrest at a resort city on the Spanish island of Mallorca. Moreover, his plea agreement doesn’t include the entirety of his alleged crimes. 

Buchanan attracted a lot of attention and successfully coordinated many attacks before a rival Com gang allegedly broke into his home and used a blowtorch on him to extract crypto keys in his possession, according to Nixon. 

Following his arrest, Spanish police said Buchanan had gained control of bitcoin worth more than $27 million at that time. 

While early leaders of Scattered Spider have been arrested or sentenced for their crimes, others have filled those roles with even more exceptional impact. 

The Com has grown to thousands of members, typically between 11 and 25 years old, splintered into three primary subsets the FBI describes as Hacker Com, In Real Life Com and Extortion Com.

Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes. 

You can read the indictment against Buchanan and some of his co-conspirators below.

The post Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety appeared first on CyberScoop.

Cybercrime remains a booming business. 

Annual cybercrime losses amounted to almost $20.9 billion last year, reflecting a 26% increase from 2024, the FBI’s Internet Crime Complaint Center (IC3) said in its annual report Tuesday.

The comprehensive study exposes a worsening digital crime environment that is driving financial losses, with momentum moving in the wrong direction and compounding at an alarming rate. Annual cybercrime losses have jumped almost 400% from $4.2 billion in 2020, and cumulative losses in that five-year period surpassed $71.3 billion.

The FBI’s IC3, which formed as the country’s central hub for cybercrime reporting in 2000, is busier than ever. “We now average almost 3,000 complaints per day,” Jose Perez, the FBI’s operations director for its criminal and cyber branch, wrote in the report. 

The annual internet crime report highlights growing and sustaining trends. Yet, the scope of the study is limited and relies entirely on cybercrime incidents submitted to the FBI. 

The full impact of cybercrime remains murky, as an unknown number of victims suffer in the shadows and never report the crimes they endure.

The FBI received more than 1 million complaints last year, with victims aged over 60 reporting the largest amount of crimes that also resulted in the greatest amount of total losses by age group. Victims at least 60 years old filed 201,000 complaints with losses totaling nearly $7.75 billion, or about 37% of all cybercrime-related losses last year.

Investment-related fraud remained the largest component of cybercrime losses in 2025, reaching almost $8.65 billion. Business email compromise took the No. 2 spot with almost $3.05 billion in losses, followed by tech support scams at more than $2.1 billion. 

Cryptocurrency was the primary conduit for fraud linked to investment and tech support scams last year, while wire transfers composed the bulk of fraud resulting from business email compromise, according to the report.

Phishing was the most commonly reported type of cybercrime last year, followed by extortion, investment scams and personal data breaches. The FBI tallied losses amounting to $122.5 million from extortion and $32.3 million from ransomware last year.

The FBI also received more than 75,000 reports of sextortion last year, including more than 5,700 submissions that were referred to the National Center for Missing and Exploited Children.

The top five cyber threats reported to IC3 in 2025 included data breaches at 39%, ransomware at 36%, SIM swapping at 10%, malware at 9% and botnets at 7%. 

The FBI received more than 3,600 complaints reporting ransomware last year. The five most reported variants included Akira, Qilin, INC, BianLian and Play.

Each of the 16 critical infrastructure sectors reported ransomware attacks last year, and the most heavily targeted included health care, manufacturing, financial services, government and IT.

The IC3 primarily receives complaints from U.S. residents and businesses, but it also received complaints from more than 200 countries last year, which accounted for nearly $1.6 billion in total losses. 

While losses and the sheer amount of cybercrime continued to climb last year, “the FBI continues to disrupt and deter malicious cyber actors — and shift the cost from victims to our adversaries,” Perez wrote in the report.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions,” he added. “Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence.”

The post Cybercrime losses jumped 26% to $20.9 billion in 2025 appeared first on CyberScoop.

The Lapsus$ hackers allegedly compromised internal code repositories, credentials, and employee data.

The post Extortion Group Claims It Hacked AstraZeneca appeared first on SecurityWeek.

A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday.

Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data, including sensitive employee and compensation information, which he used to extort his employer, according to court records. Curry ultimately made off with approximately $2.5 million from the victim organization in January 2024.

The insider attack underscores immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop. Officials did not name the company.

Curry used his access to the company’s network to remove corporate data for extortion while he worked for the company between August and December 2023. Immediately following his last day of employment with the company, Curry started sending threatening emails to its employees and demanded a ransom to not leak and destroy the data.

Officials said he sent more than 60 emails to various employees and executives over a six-week period, threatening to disclose the company’s payroll data, claiming it showed significant pay inequity across the workforce. In those emails, Curry framed the data theft extortion attack as an effort to implement salary transparency.

“Loot and our partners aim to ensure that everyone is being paid accordingly, providing employees with the leverage they deserve while also adhering to federal government regulations on protected acts,” Curry wrote in one of the emails, according to the indictment.

Curry included attachments with the emails containing screenshot images of spreadsheets listing the personally identifiable information of company employees. Officials said he also warned the company he would provide employees instructions on how to address pay discrimination through mediation, the Equal Employment Opportunity Commission or a class-action lawsuit.

Some of the extortion emails got personal, including a claim that one person on the legal team wasn’t getting a bonus while most employees in high-level positions did receive bonuses. Curry also threatened to report the breach to the Securities and Exchange Commission, citing rules that require public companies to disclose cyberattacks quickly. 

The publicly traded company notified the FBI of the breach on Dec. 14, 2023 and paid Curry’s ransom demand almost a month later.

Multiple operational security mistakes helped authorities identify and build a case against Curry rather quickly. He used personal and verifiable data to establish a new Coinbase account, and two of the debit cards linked to the account Curry established to receive a ransom belonged to his mother and sister.

Authorities searched Curry’s apartment, digital devices and vehicle in Charlotte, North Carolina, just weeks after the ransom was paid. He was arrested and released on bond in late January 2024. 

Officials said Curry initiated his extortion scheme after he learned his contract with the company wouldn’t be renewed. He faces up to 12 years in prison at sentencing.

You can read the full indictment below.

The post North Carolina tech worker found guilty of insider attack netting $2.5M ransom appeared first on CyberScoop.

Ransomware remains a scourge that shows some signs of relenting, but incident responders and threat hunters are busier than ever as more financially-motivated attackers lean exclusively on data theft for extortion.

Attacks that only involve data theft for extortion may not be more prevalent than traditional ransomware when attackers encrypt systems, but momentum is moving in that direction, Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop.

“When you look at the actors in the English-speaking underground, those actors are almost all just focusing on data-theft extortion right now,” Stark added. This includes groups like Scattered Spider, ShinyHunters, Clop and other groups that have been responsible for some of the largest and farthest-reaching attacks over the past few years.

Google Threat Intelligence Group’s research report on ransomware, which it shared exclusively and discussed with CyberScoop prior to release, underscores how the evolution and spread of cybercrime can cloud a collective understanding of ransomware, or attacks that use malware to encrypt or lock systems. 

Ransomware attacks also often include data theft as an additional pressure point for extortion — occurring in 77% of ransomware intrusions Google observed last year, up from 57% in 2024 — but it’s not technically ransomware unless encryption is involved. 

“Over the past several years we’ve seen a gradual increase in the overall percentage of directly observed financially motivated incidents that involved only data theft extortion incidents, growing from around 2% of incidents in 2020 to more than 15% of incidents in 2025,” said Bavi Sadayappan, senior threat intelligence analyst at GTIG.

“In the same time span, the percentage of incidents involving ransomware deployment has fluctuated. We’ve seen a decrease in ransomware incidents in the past year, with 39% of incidents involving ransomware in 2024 compared to 31% in 2025,” she added.

The company declined to say how many ransomware attacks it responded to in 2025. “We hesitate sharing the number of cases that we work on, in terms of a quantitative number, because it’s so difficult for everybody to agree on what constitutes one incident versus two,” said Chris Linklater, practice leader at Mandiant. “Anecdotally, we’re staying very busy.”

Stark acknowledged that significant challenges prevent the industry from developing a clear, comprehensive picture of ransomware’s true scale and impact. Insight is largely confined to what individual incident response firms see in their own cases, and what information is shared is typically provided case by case rather in a centralized way.

“We’re not doing a great job as an industry in looking at the volume. I think that we’re overly dependent on things like the volume of data-leak sites, which have a lot of problems,” she said.

The increase in data extortion is likely driving an increase in these posts. At the same time, some threat clusters are making non-credible claims or recycling previous breaches and claiming them as their own work. “Data-leak sites as a measure is actually pretty poor, and I think that as an industry we’ve over relied on that,” Stark said.

Yet, the data is still useful for gauging certain trends, such as shifts in targeting or an increase in alleged attacks on specific sectors or regions, researchers said.

For what it’s worth, Google said the amount of posts on data leak sites jumped 48% from the year prior to 7,784 posts in 2025. Meanwhile, the number of unique data leak sites climbed almost 35% over the same period to 128 sites with at least one post.

Google’s report also focuses on the tactics and shifts it observed during its response to ransomware attacks last year, including the most common ways attackers broke into systems, the most prominent ransomware families and increased targeting of virtualization infrastructure.

Exploited vulnerabilities was the top initial access vector in ransomware attacks last year, accounting for a third of all incidents, followed by various forms of web compromise and stolen credentials. Attackers most commonly exploited vulnerabilities in widely used virtual private networks and firewalls from Fortinet, SonicWall, Palo Alto Networks and Citrix, researchers said.

Zach Riddle, principal threat intelligence analyst at GTIG, said this doesn’t reflect a growing trend as much as a recurring cycle of different initial access vectors, which rise and fall year to year for various reasons.

Google specifically called out 13 vulnerabilities, many disclosed years ago, ranking those defects among the top exploited vulnerabilities for ransomware attacks last year. Three of those vulnerabilities affect Fortinet products, followed by two from Microsoft, two from Veritas, and one each from SonicWall, Citrix, SAP, Palo Alto Networks, CrushFTP and Zoho.

Stolen credentials were the initial access point in 21% of ransomware intrusions last year, and attackers often used those credentials to authenticate to a victim’s VPN or Remote Desktop Protocol login, Google said in the report.

Attackers are also confronting more challenges in deploying ransomware once they break into victim networks. “We’re actually seeing a decrease in successful ransomware deployment,” Sadayappan said. Google observed a year-over-year decline from 54% in 2024 to 36% last year.

Another landmark change reflected in ransomware activity in 2025 involves increased targeting of virtualization infrastructure, such as VMware ESXi hypervisors. Attackers targeted these environments in 43% of ransomware intrusions last year, up from 29% in 2024.

“It lets the attacker hit a huge number of systems with a very small amount of effort,” Linklater said, adding that “it makes the investigation significantly harder to accomplish, because a lot more of the forensic evidence is lost when those hypervisors are attacked.”

The most prominent ransomware families in 2025 included Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub and Fireflame, according to Google. The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.

The post The ransomware economy is shifting toward straight-up data extortion appeared first on CyberScoop.

Washington has rediscovered consequences. Just not consistently.

The March 6 executive order rests on a simple, correct idea: cyber-enabled fraud persists because it is profitable, scalable, and too often tolerated. So the government’s answer is to raise the cost. More coordination. More disruption. More prosecutions. More diplomatic pressure on the states that shelter these operations.

Good.

But weeks ago, an OMB Memo rescinded earlier federal software supply chain memos issued during the Biden administration. In practice, that pulled back from the prior attestation-centered model and made tools like the Secure Software Development Attestation Form and SBOM requests optional rather than durable expectations.

Put plainly, we are getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit.

The executive order gets something important right. Cyber-enabled fraud is not a collection of random online annoyances. It is an industrialized form of predation: ransomware, phishing, impersonation, sextortion, and financial fraud that’s run as repeatable business models, often transnational and sometimes protected by permissive states. The order responds with a more centralized federal posture built around disruption, coordination, intelligence sharing, prosecution, resilience, and international pressure.

That is directionally correct. Criminal ecosystems do not retreat because we publish better guidance. They retreat when the cost of doing business rises.

But then we arrive at software.

The critique of the old federal assurance regime is not entirely wrong. Compliance can become theater. Bureaucracies are very good at turning legitimate security goals into rituals of form collection and checkbox management. Some skepticism was warranted. OMB says as much explicitly, arguing the prior model became burdensome and prioritized compliance over genuine security investment.

Still, the failure of bad compliance is not proof that accountability itself was the problem.

That is where the logic breaks. The administration is clearly willing to believe that criminal actors respond to deterrence. It is willing to use prosecutions, sanctions, visa restrictions, and coordinated pressure downstream. But upstream, where insecure technology shapes the terrain those criminals exploit, the theory suddenly changes. There, we are told to trust discretion. Local judgment. Flexible, risk-based decisions.

Sometimes that is wisdom. Often it is just a more elegant way of saying no one wants a hard requirement.

This is also why my own position has not changed. In a post I wrote in 2024, I argued that the industry did not need softer expectations or another round of polite encouragement. It needed more concrete action and consequences strong enough to change incentives. The problem was never that we were demanding too much accountability. The problem was that insecure software remained too cheap to ship.

That is the deeper issue. Cybercrime at scale does not thrive only because criminals exist. It thrives because the environment rewards them. Weak identity systems, brittle software, sprawling dependency chains, poor visibility, and diffuse accountability all make predation cheaper. The people who ship avoidable risk rarely absorb the full cost of it. Everyone else does.

So these two policy moves, taken together, reveal something uncomfortable. The government seems to believe in consequences for cybercriminals, but not quite in consequences for insecure production. It wants deterrence for the scammer, but discretion for the supplier.

A coherent cyber strategy would do both. It would aggressively disrupt criminal networks and also create meaningful pressure for secure-by-design production and procurement. It would recognize that punishing attackers matters, but so does changing the terrain that keeps making attack profitable.

The administration is right about one thing: cybercrime will not shrink until the costs of predation rise.

The unanswered question is why that logic should stop at the edge of the scam center.

Brian Fox is the co-founder and CTO of Sonatype.

The post If consequences matter, they should apply to vendors, too appeared first on CyberScoop.

A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks. But a top SLSH expert warns that engaging at all beyond a “We’re not paying” response only encourages further harassment, noting that the group’s fractious and unreliable history means the only winning move is not to pay.

Unlike traditional, highly regimented Russia-based ransomware affiliate groups, SLSH is an unruly and somewhat fluid English-language extortion gang that appears uninterested in building a reputation of consistent behavior whereby victims might have some measure of confidence that the criminals will keep their word if paid.

That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221B. Nixon has been closely tracking the criminal group and individual members as they bounce between various Telegram channels used to extort and harass victims, and she said SLSH differs from traditional data ransom groups in other important ways that argue against trusting them to do anything they say they’ll do — such as destroying stolen data.

Like SLSH, many traditional Russian ransomware groups have employed high-pressure tactics to force payment in exchange for a decryption key and/or a promise to delete stolen data, such as publishing a dark web shaming blog with samples of stolen data next to a countdown clock, or notifying journalists and board members of the victim company. But Nixon said the extortion from SLSH quickly escalates way beyond that — to threats of physical violence against executives and their families, DDoS attacks on the victim’s website, and repeated email-flooding campaigns.

SLSH is known for breaking into companies by phishing employees over the phone, and using the purloined access to steal sensitive internal data. In a January 30 blog post, Google’s security forensics firm Mandiant said SLSH’s most recent extortion attacks stem from incidents spanning early to mid-January 2026, when SLSH members pretended to be IT staff and called employees at targeted victim organizations claiming that the company was updating MFA settings.

“The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA,” the blog post explained.

Victims often first learn of the breach when their brand name is uttered on whatever ephemeral new public Telegram group chat SLSH is using to threaten, extort and harass their prey. According to Nixon, the coordinated harassment on the SLSH Telegram channels is part of a well-orchestrated strategy to overwhelm the victim organization by manufacturing humiliation that pushes them over the threshold to pay.

Nixon said multiple executives at targeted organizations have been subject to “swatting” attacks, wherein SLSH communicated a phony bomb threat or hostage situation at the target’s address in the hopes of eliciting a heavily armed police response at their home or place of work.

“A big part of what they’re doing to victims is the psychological aspect of it, like harassing executives’ kids and threatening the board of the company,” Nixon told KrebsOnSecurity. “And while these victims are getting extortion demands, they’re simultaneously getting outreach from media outlets saying, ‘Hey, do you have any comments on the bad things we’re going to write about you.”

In a blog post today, Unit 221B argues that no one should negotiate with SLSH because the group has demonstrated a willingness to extort victims based on promises that it has no intention to keep. Nixon points out that all of SLSH’s known members hail from The Com, shorthand for a constellation of cybercrime-focused Discord and Telegram communities which serve as a kind of distributed social network that facilitates instant collaboration.

Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroying behavior, backstabbing, and sabotaging each other.

“With this type of ongoing dysfunction, often compounding by substance abuse, these threat actors often aren’t able to act with the core goal in mind of completing a successful, strategic ransom operation,” Nixon wrote. “They continually lose control with outbursts that put their strategy and operational security at risk, which severely limits their ability to build a professional, scalable, and sophisticated criminal organization network for continued successful ransoms – unlike other, more tenured and professional criminal organizations focused on ransomware alone.”

Intrusions from established ransomware groups typically center around encryption/decryption malware that mostly stays on the affected machine. In contrast, Nixon said, ransom from a Com group is often structured the same as violent sextortion schemes against minors, wherein members of The Com will steal damaging information, threaten to release it, and “promise” to delete it if the victim complies without any guarantee or technical proof point that they will keep their word. She writes:

A key component of SLSH’s efforts to convince victims to pay, Nixon said, involves manipulating the media into hyping the threat posed by this group. This approach also borrows a page from the playbook of sextortion attacks, she said, which encourages predators to keep targets continuously engaged and worrying about the consequences of non-compliance.

“On days where SLSH had no substantial criminal ‘win’ to announce, they focused on announcing death threats and harassment to keep law enforcement, journalists, and cybercrime industry professionals focused on this group,” she said.

Nixon knows a thing or two about being threatened by SLSH: For the past several months, the group’s Telegram channels have been replete with threats of physical violence against her, against Yours Truly, and against other security researchers. These threats, she said, are just another way the group seeks to generate media attention and achieve a veneer of credibility, but they are useful as indicators of compromise because SLSH members tend to name drop and malign security researchers even in their communications with victims.

“Watch for the following behaviors in their communications to you or their public statements,” Unit 221B’s advisory reads. “Repeated abusive mentions of Allison Nixon (or “A.N”), Unit 221B, or cybersecurity journalists—especially Brian Krebs—or any other cybersecurity employee, or cybersecurity company. Any threats to kill, or commit terrorism, or violence against internal employees, cybersecurity employees, investigators, and journalists.”

Unit 221B says that while the pressure campaign during an extortion attempt may be traumatizing to employees, executives, and their family members, entering into drawn-out negotiations with SLSH incentivizes the group to increase the level of harm and risk, which could include the physical safety of employees and their families.

“The breached data will never go back to the way it was, but we can assure you that the harassment will end,” Nixon said. “So, your decision to pay should be a separate issue from the harassment. We believe that when you separate these issues, you will objectively see that the best course of action to protect your interests, in both the short and long term, is to refuse payment.”

Ransomware groups crop up like weeds, angling for striking positions in a crowded field rife with turnover, infighting and unbridled competition. Yet, they rarely emerge, as 0APT did late last month, claiming roughly 200 victims out of the gate.

Researchers have thus far seen no evidence confirming 0APT attacked any of its alleged victims, which includes high-profile organizations. Alleged victim data samples and the structure and size of placeholder file trees published by 0APT place further doubt on the group’s supposed criminal escapades. 

Most signs suggest the group is running a massive hoax, but at least some of the threat 0APT poses is grounded in truth. The group’s inflated pretense may be a ruse to create a sense of momentum, gain recognition and attract affiliates.

“While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware,” Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, told CyberScoop.

0APT’s infrastructure is sound, including cryptographically strong and fully operational ransomware binaries, unique code and a well organized panel for affiliates, she said. “Even if researchers assess most claimed victims as fabricated, the underlying ransomware payload represents genuine risk to any organization that encounters it.”

The group’s outlandish claims accentuates the messy state of ransomware, with researcher interest and widespread fear among potential victims — perceived or real — delivering benefits for criminal syndicates that compete for mindshare and co-conspirators. 

0APT’s apparent swift rise with a massive alleged victim count that hovered around 200 organizations within its first week online caught the attention of multiple ransomware research firms, resulting in reports this week by Halcyon and GuidePoint Security.

Researchers roundly consider the group’s initial claims an act of deception. This pattern of claiming a high number of victims without substantiating evidence surfaced last year with other ransomware groups, including Babuk2 and FunkSec, which eventually disclosed confirmed victims.

“After those initial fake lists, we started to see legitimate victims as the gangs attracted affiliates and matured into fully functioning ransomware-as-a-service organizations,” Kaiser said.

GuidePoint researchers acknowledge 0APT could evolve into a genuine problem, but they are more dismissive of the group’s capabilities. 

Justin Timothy, principal threat intelligence consultant at GuidePoint, said 0APT’s encryptor isn’t unique or noteworthy amongst its ransomware peers.

“The ransomware encryptor is only one piece of the attack kill chain,” he said. “Threat actors still need to be able to obtain initial access, escalate privilege, and move laterally all while evading detection and endpoint detection and response. These aspects can often take more skill and technical knowledge compared to the creation of encryption malware.”

While 0APT might be running a scam, it doesn’t appear to be a fly-by-night operation. 

The group’s alleged victims are opportunistic and predominantly operate in critical infrastructure and data-rich sectors, according to Halcyon. Most of the claimed victims are based in the United States, and the top sectors targeted include health care, professional services, technology, transportation and logistics, energy and manufacturing. 

0APT has been consistently adding and removing alleged victims from its data-leak site, which went offline briefly before returning earlier this week with a much lower victim count.

“The group’s early claims appear to focus more on gaining visibility and momentum, believing those will recruit affiliates faster than validity,” Kaiser said.

Attracting affiliates and attention for future operations could be driving some of 0APT’s behavior, but cybercriminals frequently deride such activities once the extent of their lies becomes widely known, said Jason Baker, managing security consultant of threat intelligence at GuidePoint.

“That strategy was almost certainly shortsighted and undermined by 0APTs fabrications, which render them an unattractive partner or destination for affiliates going forward,” Baker said. “After all, if they’re willing to lie this brazenly about their victims and capabilities, why wouldn’t they lie to their affiliates as well?”

The make-up of 0APT remains unknown, with no obvious lineage or overlap with other ransomware variants, but the group is financially motivated and very aggressive in communications, Kaiser said. 

“While the operators appear to not be novices, we have no evidence of who is running the group or its exact origins,” she added.

Halcyon, which is developing technical analysis on the group, insists 0APT poses a genuine threat that will eventually ensnare legitimate victims. 

“Given the fact that they are attracting attention and operating a capable encryptor, we see the potential as high that real victims may soon appear,” Kaiser said. A focused rebrand, such as removing all the fake victims and starting to list real victims, even only a few, will be a strong signal that the group has evolved into a serious operation.”

The post 0APT ransomware group rises swiftly with bluster, along with genuine threat of attack appeared first on CyberScoop.

Threat hunters and researchers are racing to contain a wave of voice-phishing attacks targeting single sign-on tools, already leading to data theft and extortion attempts. Multiple cybercrime groups are combining voice calls and advanced phishing kits to trick victims into handing over access — including a group identifying itself as ShinyHunters, which has publicly named alleged targets and posted samples of stolen data.

The attacks share common characteristics with previous campaigns attributed to ShinyHunters, which has abused third-party vendors to gain initial access to multiple company networks, including the attack spree that impacted more than 700 Salesforce customer environments last fall.

“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved voice phishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim multifactor authentication solutions,” Charles Carmakal, chief technology officer at Mandiant Consulting, said in an email to CyberScoop.

“This is an active and ongoing campaign,” Carmakal added. “After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand.”

Cybercriminals are registering custom domains that mimic legitimate single sign-on portals used by targeted companies, then deploying tailored voice-phishing kits to call victims while remotely controlling which pages appear in the victim’s browser. This lets the attackers sync their spoken prompts with multifactor-authentication requests in real time, increasing the likelihood the victim approves or enters the needed codes on cue.

Okta, one of the single sign-on providers targeted by this campaign, released threat intelligence on phishing kits observed in this campaign and others Thursday. Attackers appearing to be aligned with ShinyHunters have attempted to extort targeted organizations on behalf of a specific initial access broker that used one of these phishing kits.

Brett Winterford, vice president at Okta Threat Intelligence, said researchers have observed at least two phishing kits that demonstrate the real-time capability to mimic the authentication flows of identity providers. 

“This creates a more compelling pretext for asking the user to share credentials and accept multifactor authentication challenges,” he told CyberScoop.

“Okta Threat Intelligence has observed multiple phishing kits developed for the needs of voice phishing operators, each with dedicated panels for impersonation of Google, Microsoft and Okta sign-in flows, as well as cryptocurrency providers,” Winterford added.

A spokesperson for Microsoft said the company has nothing to share on the campaign. Meanwhile, a Google spokesperson said: “At this time, we have no indication that Google itself or its products are affected by this campaign.”

Security experts noted the attacks don’t involve a vulnerability in single sign-on vendors’ products or infrastructure, but rather a persistent weak point in identity and access management. Targeted victims are once again being duped into sharing their credentials with attackers.

These phishing kits allow cybercriminals without deep technical skills to buy the tooling and focus on targeting people and processes, said Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center. 

“While these campaigns occur often, the difference here is the amount of success in the recent campaign is slightly higher. That’s likely because of the believable content and the use of voice phishing versus just phishing,” she said.

“If you’re getting a call and it’s personalized and it’s changing in real time — that feels believable, that’s a different element that people don’t necessarily have their guard up for.”

Investigation ongoing into scope

It’s unclear how many organizations have been impacted by the campaign. A ShinyHunters-branded data leak site, which is currently down, previously listed at least three victims, including two companies that publicly confirmed they were impacted by recent attacks.

SoundCloud said some personally identifiable data on about 20% of its user base, roughly 36 million people, was compromised by an attack it first discovered in mid-December. The company insists sensitive data wasn’t exposed and did not name the attackers, but said users, employees and partners have been flooded with threatening emails. 

“We are aware that a threat actor group has published data online allegedly taken from our organization,” Sade Ayodele, senior director of communications at SoundCloud, said in an email. “Our security team — supported by leading third-party cybersecurity experts — is actively reviewing the claim and published data.”

Betterment, a financial services company, said an attacker gained access to some of its systems via social engineering on Jan. 9. The company said customer data was stolen, but no accounts were accessed and customer credentials weren’t compromised.

The attacker also quickly used access to Betterment’s systems to send a fraudulent cryptocurrency offer to some customers. Betterment did not respond to a request for comment.

Threat intelligence suggests additional victims have been targeted and potentially impacted. Sophos researchers are tracking a cluster of about 150 malicious domains established starting last month, including some used in voice phishing campaigns resulting in data theft and ransom notes demanding a payment, said Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit.

“We can’t confirm that they have all been used but the threat actors are creating target-specific domains, themed to reflect single-sign on services and impersonating authentication providers like Okta,” Pilling said. The fake domains impersonate organizations in the education, real estate, energy, financial services and retail sectors.

While one of the groups behind this campaign identifies itself as ShinyHunters, researchers have yet to confirm that claim or formally attribute the attacks to a specific group or person. 

“ShinyHunters typically has a mix of real victims and recycled information or exaggerated claims,” Kaiser said. 

Moreover, the names adopted or reused by some cybercriminals has lost relevance, said Ian Gray, vice president of intelligence at Flashpoint. 

A cybercriminal or group can use any username they choose and apply that to a data-leak site, but that doesn’t prove a direct link. 

“While ShinyHunters have claimed credibility for the campaign,” Gray said, “it is equally important that we examine the tactics, techniques and procedures being employed and how they relate to previous campaigns.”

The post A new wave of ‘vishing’ attacks is breaking into SSO accounts in real time appeared first on CyberScoop.

Ransomware negotiation is a dark but widely acknowledged reality in the cybersecurity industry — one that many argue is a necessary practice, even if it largely occurs out of sight. Brokering payments and terms with cybercriminals who hold organizations’ data and operations hostage places security professionals in a fraught position that requires them to balance a responsibility to meet their clients’ needs without fueling the spread of financially-motivated crime.

The pitfalls of ransomware negotiation are excessive — pinning the goals of cybercrime against victims and incident response firms that typically face no good options. Negotiators are charged with ensuring their clients don’t break any laws by financially supporting sanctioned criminals, but they also have to consider the lines they won’t cross without betraying their moral compass.

These backchannel negotiations can go awry for various reasons. Many people involved in ransomware negotiation prefer to share very little about what transpires in these discussions, a decision that ensures the terms of ransomware payments remain largely unscrutinized. 

Yet, many security companies and professionals spoke to CyberScoop about the challenges and benefits of ransomware negotiation after two of their own became turncoats. The former incident responders, Ryan Clifford Goldberg and Kevin Tyler Martin, were moonlighting as ransomware operators and pleaded guilty last month to a series of ransomware attacks in 2023.

“There’s no structured community of practice, no peer review, and no recognized body to certify or hold negotiators accountable,” Jon DiMaggio, principal at XFIL Cyber, told CyberScoop. “It’s one of the few areas of cybersecurity with no real standards, an unregulated tradecraft that still operates like the Wild West.”

This uneven approach manifests across the landscape, particularly among the top incident response firms, which have varying levels of comfort with ransomware negotiations. CrowdStrike and Mandiant draw a firm line, refraining from providing ransomware negotiation services to clients. 

If a client is considering paying a ransomware group, Mandiant will explain the options and let the client decide. The Google-owned company will also share what it knows about the group’s reputation for honoring terms and provide a list of third-party vendors that specialize in ransomware negotiation.

Adam Meyers, head of counter adversary operations at CrowdStrike, is firmly in the don’t-pay-ransoms camp. But he, too, recognizes it’s not always that simple. 

“No good comes from paying them,” but sometimes in extreme cases when the choice is between a business’s downfall or potentially putting the people you serve at risk of significant harm, victims don’t have a choice but to pay the ransom, Meyers said.

Palo Alto Networks Unit 42 takes things to the finish line, but stops before payment. “The boundary for us is we don’t perform ransomware payments. That’s actually an intentional decision on our end to separate those out,” Steve Elovitz, vice president of consulting at Unit 42, told CyberScoop.

“We will perform negotiations when requested by our clients, but we will not perform the payments,” he added. “There’s the complexity side of it, but there’s also just the moral side of it — not wanting to be involved, really, in the transaction itself.”

The red lines in ransomware response — viewing stolen or illegal data on dark web forums, collecting that information, engaging with cybercriminals, negotiating and, ultimately, submitting payment — can push those involved beyond their comfort zones, said Sean Nikkel, lead cyber intelligence analyst at Bitdefender.

Lack of transparency engenders isolation

These self-imposed limits highlight how secretive ransomware negotiations tend to be, which creates a vacuum in which criminals thrive, DiMaggio said. 

“The lack of transparency isolates everyone,” he said. “Victims don’t know what’s normal or fair, law enforcement is often left guessing, and the criminals use that silence to control the narrative and drive up their prices.”

Nikkel asserts some secrecy is necessary, yet ransomware negotiators are “operating without a license and it kind of freaks me out a little bit,” he said.

Professional certifications exist for many lines of intelligence work, but there’s nothing for ransomware negotiation, he added.

DiMaggio, who has infiltrated ransomware groups to investigate their operations, dox their leaders and chronicle stories that would otherwise go untold, said victim organizations constantly make the same mistakes because lessons from these attacks are rarely shared. 

“Until the industry finds a responsible way to collect and analyze anonymized negotiation data, we’ll keep fighting each case in the dark,” he said. “Transparency isn’t about shaming victims — it’s about denying criminals the advantage of secrecy.”

Open sharing of ransomware negotiations is a non-starter for many important reasons, experts said. These communications contain privileged information that could tip attackers off to counterstrategies or empower them with information they can use as leverage to further compromise victims. 

“It would be difficult to do that in a way that doesn’t compromise the practice,” said Kurtis Minder, the co-founder and former CEO of GroupSense who published a book in July about his experiences as a ransomware negotiator.

Cynthia Kaiser, who joined Halcyon’s ransomware research center as senior vice president after 20 years with the FBI, shares that view. 

“You don’t want to do anything that re-victimizes the victim,” she said. “If that information goes out, that should be their choice.”

The “darkness” about negotiations doesn’t merit the same emphasis as the need to better understand “how insidious and gross all these ransomware attacks are, and who they’re attacking,” Kaiser added. 

“That’s the only way we can really grapple with the actual extent of the threat, and that’s not happening right now,” she said. “That information doesn’t get out there enough.”

Key negotiation skills and considerations

Minder got pulled into his first ransomware negotiation in 2019 by accident and against his best intentions. “Somewhat reluctantly, I agreed to do more and then it sort of snowballed on us,” he said. “We didn’t really want to do this.”

Since then, Minder has been involved in hundreds of ransomware negotiations for major companies and small businesses who he volunteered to help in his personal time. 

There is no litmus test for what makes a good negotiator, but soft skills and emotional intelligence are critical, he said. 

“Empathy is one of the most important things,” Minder added. “Not sympathy — empathy — being able to effectively put yourself in the bad guys’ shoes is super powerful.”

As ransomware attacks have grown, so too has the mixed motivations of attackers attempting to extort victims for payment. 

Attacker volatility has increased in the past four years and complicated the considerations negotiators must heed in their response, said Lizzie Cookson, senior director of incident response at Coveware by Veeam. 

Some attackers are “eager to get paid, but they’re also in it for the notoriety, for the bragging rights, for the media attention,” said Cookson, who’s worked as ransomware negotiator for more than a decade. “That’s where we start to encounter more concerning behavior — more hostility, threat actors threatening violence, making threats against people’s family members.”

These cases, which occur much more often now, are more likely to result in broken promises — data leaks after a ransom was paid to avoid such an outcome or follow-on extortion demands, she said.

Indeed, cybercriminals consistently pull new threads to amplify the pressure they place on victims. This includes elements of physical extortion wherein ransomware groups call and threaten executives, claiming they know where the executives’ kids go to school, where they live and how they get to work, said Flashpoint CEO Josh Lefkowitz.

These threats put business leaders in precarious, unexpected positions that challenge their preconceived notions about how they’d respond to a cyberattack, Lefkowitz said. 

Ransomware negotiation requires practitioners to navigate between doing what’s necessary and what’s right, DiMaggio said. “The key is to treat every negotiation as a crisis with human consequences, not just a transaction.”

Negotiators reflect on previous cases

Ransomware negotiators tend to run through common checklists based on patterns they’ve experienced, but each incident is unique and requires some level of improvisation. 

Matt Dowling, senior director of digital forensic and incident response at Surefire Cyber, said ransomware operators, on the whole, are more trustworthy now than when he first got involved in negotiations in 2019. The practice, he said, has also improved because threat intelligence is more useful, making negotiations a data- driven effort.

Dowling separates ransomware operators into two groups: named and unnamed. Named groups are more trustworthy because they have a reputation to uphold, while unnamed groups are more likely to re-extort victims and deviate from the standards of ransomware negotiation, such as not providing proof of their claims.

Still, he said, most payments result in positive outcomes for the victims. The lowest payment Dowling has facilitated came in around $6,000, and the largest was about $8 million, he said. 

Some negotiations end abruptly without further incident. These cases typically involve charities or non-profits, according to Minder.

One case he worked on involved a charity that provided free screenings for breast cancer. In that incident, he simply asked the attackers: “Why are you doing this? These people don’t have any extra money.”

The attackers walked away after the organization agreed to pay a $5,000 ransom to cover what the ransomware group claimed amounted to costs it incurred to conduct the attack — a significant discount from their initial demand of $2 million.

When cases involving data extortion come to a close, negotiators will ask for proof the data was deleted, which is impossible to confirm. Some attackers, who are especially proud of their work will provide detailed reports about how they gained access — information that helps the victim and incident responders understand how and what occurred. 

Experts said the number of people involved in ransomware negotiations can be quite large when lawyers, insurance providers and law enforcement is involved. The duration of these back-and-forth compromises can last for a couple hours or up to three months.

Tactics define process for negotiation

Negotiators also employ generally similar strategies to achieve their client’s objectives at the lowest possible payment.

Threat intelligence on ransomware groups can guide negotiators toward a more gentle or aggressive approach, but in all cases “the threat actor, at the outset, has all the leverage,” Dowling said. 

“The leverage that you have is the threat actor wants to get paid. The only way they’re going to get paid is if you come to an agreement,” he added. 

Every ransomware negotiator CyberScoop spoke with remarked on the importance of delay. “Time is always our friend,” Cookson said. “Every day that passes after the initial incident is an opportunity for us to get more visibility so that they can make those decisions with a lot more confidence and make those decisions based on actual data, not based on fear and emotion.”

Initial outreach from negotiators working on behalf of a victim should be short and simple, allowing attackers to do most of the talking up front, Minder said. Negotiators should also avoid discussion of any financial numbers or positional bargaining as long as possible, he said.

Cursing or adopting combative language is a hard no-no for Minder as well. “There are ways to convey disappointment in the messages that aren’t fighting words,” he said. “They’re humans. They have egos, so you have to keep that in mind.”

Delay tactics are designed to get the attackers to question their own demand before the negotiator ever puts a number in writing, Minder said. 

Moreover, it’s not just about the money — ransomware operators are seeking validation, and a sense that they’re in control and winning, he said.

The worst outcomes involve victims that rush to make a payment, assuming that will make all the pain go away, Cookson said. 

Financial incentives present ethical challenges

Ransomware is a thriving criminal enterprise, amounting to a combined $2.1 billion in payments during the three-year period ending in December 2024 and about 3,000 total attacks in 2023 and 2024, according to the Treasury Department’s Financial Crimes Enforcement Network.

Businesses, of course, see opportunity in all of that activity and boutique firms have assembled teams to support victim organizations by engaging in ransomware negotiations on their behalf in the wake of attacks. 

This ancillary industry fosters additional ethical challenges, especially when there’s a built-in financial incentive for ransomware negotiations to occur and, in some cases, result in payments.

A general lack of transparency in billing puts the practices of some of these firms under heavier scrutiny. Some firms charge a flat fee or hourly rate, while others use a contingency model based on the percentage of the ransom reduction they’re able to achieve, DiMaggio said. 

“It’s not the norm across the industry, but it happens, and it introduces a clear conflict of interest,” he added. “When a negotiator’s income depends on the ransom outcome, it blurs the line between representing the victim and profiting from the crime.”

While some ransomware negotiation providers do, indeed, charge a small percentage off the ransom payment, victim organizations should avoid hiring any firm that employs that model, Elovitz said. 

“If you’re making a percentage of the payment, then at least there’s some financial incentive to not negotiate it down as far as you might otherwise,” he added. 

DiMaggio would like to see more clarity around how service providers set prices for ransomware negotiation. Absent that, he said, “the industry will keep living in a moral gray zone, one where good intentions can unintentionally sustain the very ecosystem we’re trying to dismantle.”

Rules of engagement don’t apply

Ransomware negotiation remains an ill-defined, largely unrestricted practice, absent any collective industrywide agreement on rules of engagement.

Any effort to define rules upon which the industry can coalesce could potentially pit competitors against one another, leaving room for those more willing to bend the norms an opportunity to win business by providing less scrupulous services.

Negotiators are effectively unfettered once they ensure they’re not breaking any laws by engaging with or sending money to sanctioned criminals.

Still, there’s an unmet need for checks and balances, oversight, transparency and a standardized set of rules for negotiators to follow without crossing any professional or personal lines. 

Part of the challenge with external oversight lies in the act of negotiation, an art that requires intermediaries to build limited trust with attackers spanning conversations that may not play well in the public sphere, Elovitz said. 

“Putting that under a microscope could inhibit the good guys more than the bad,” he said. Payments themselves, however, could benefit from more scrutiny, Elovitz added. 

Clarity in purpose should prevail above all of these factors. 

Protecting victims without empowering criminals is the first principle of ransomware negotiation, but that balance can’t be managed in the dark, DiMaggio said. 

“I’ve seen firsthand how the lack of oversight allows abuse from both sides of the table,” he said.

To prevent manipulation, DiMaggio called for a standardized framework, vetted negotiators, recorded and auditable communications and anonymized after-action reviews.

“Without accountability, the victims end up paying twice,” he said. “Once to the criminals, and again to the people who claim to save them.”

The scars from years spent as a ransomware negotiator brought Minder back to where his intuition was before he ever got involved. “I don’t believe this should be a business. I say that having been paid to do this,” he said. 

“It’s almost like a parasitic industry,” Minder said. “You’re profiting from victims.”

The post The thin line between saving a company and funding a crime appeared first on CyberScoop.