CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Ransomware Negotiation Tactics Against Sophisticated, Opportunistic, and Impatient Hackers

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Ransomware groups are increasingly sophisticated, opportunistic, and impatient. Organizations can leverage these traits to negotiate more effectively during ransomware attacks. Ransomware gangs operate like SaaS vendors, targeting hundreds of organizations with professional processes. They seek sensitive information to tailor their demands but are also under strict deadlines. Organizations can exploit these behaviors to reduce ransom demands or call out bluffs. Effective negotiation strategies include preparing a ransomware playbook, keeping sensitive information secure, and using tactics like the LAP test and delaying responses to make hackers impatient.

Timeline

  1. 02.09.2025 17:00 1 articles · 27d ago

    Ransomware Negotiation Tactics Against Sophisticated, Opportunistic, and Impatient Hackers

    Ransomware groups are increasingly sophisticated, opportunistic, and impatient. Organizations can leverage these traits to negotiate more effectively during ransomware attacks. Ransomware gangs operate like SaaS vendors, targeting hundreds of organizations with professional processes. They seek sensitive information to tailor their demands but are also under strict deadlines. Organizations can exploit these behaviors to reduce ransom demands or call out bluffs. Effective negotiation strategies include preparing a ransomware playbook, keeping sensitive information secure, and using tactics like the LAP test and delaying responses to make hackers impatient.

    Show sources

Information Snippets

Similar Happenings

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules.

MS-ISAC funding cuts threaten US state and local cybersecurity

The Multi-State Information Sharing and Analysis Center (MS-ISAC) faces funding cuts that will expire on September 30, 2025, potentially leaving state and local governments vulnerable to cyberattacks. Recent ransomware attacks on Nevada, St. Paul, the Lower Sioux Indian Community, and Pennsylvania underscore the growing threat to local governments. MS-ISAC, which detected over 40,000 potential cyberattacks in 2024, will have to start charging for its services without federal funding. This includes cyber threat analysis and threat intelligence distribution to critical infrastructure such as schools, hospitals, and utilities. The Center for Internet Security (CIS), which operates MS-ISAC, has been temporarily funding the center at a cost of over $1 million per month. Without reinstated funding, the MS-ISAC's services will be at risk, leaving many state and local governments unable to maintain the security of their public services.