What Happens When Threat Actors Go Rogue?
Some ransomware gangs garner attention from the media and security researchers alike due to high-profile victims and frequent attacks. With intervention from law enforcement and in-fighting, star players in the ransomware-as-a-service (RaaS) space rise and fall.
We’ve all heard there’s “no honor among thieves,” but notable ransomware gangs rely on their reputations as both serious threats and “trustworthy” adversaries to get paid. You pay the ransom; they provide the decryption tool.
But what happens when threat actors go rogue?
Inexperienced cyber criminals or offshoots from recently disbanded ransomware gangs don’t need to play by the same rules. They’re after easy wins, no matter what it takes.
Coalition Incident Response (CIR) has recently observed several cases of rogue threat actors finding creative ways to profit. Below, we’ll explore what we’ve seen, as well as how businesses can fight back.
Coming back for seconds with re-extortion
An education software company experienced a breach in December 2024 that exposed the personal data of students from over 6,500 school districts. The company ultimately paid the ransom in an effort to prevent a leak.
Despite providing proof of data deletion, the same threat actor returned months later and sent an extortion letter to one of the impacted school districts.
The burning question: Can we ever really believe what cyber criminals tell us?
Some ransomware gangs would likely argue yes. Word gets around, especially in regards to behavior associated with notable groups, like Qilin, Akira, or Play. If organizations are wary of paying a ransom because a ransomware gang has a reputation of re-extorting the same victims, that’s bad for business.
But that doesn’t deter rogue threat actors working independently or impersonating larger groups from playing dirty. The risk of re-extortion is far higher with newer and unknown bad actors that have no reputation to uphold.
In one incident handled by CIR, a ransomware attack significantly hindered the impacted business’ ability to operate as usual. At the time, CIR was unfamiliar with the group behind the attack — the now up-and-coming Frag — and the victim was desperate to resolve the matter.
The risk of re-extortion is far higher with newer and unknown bad actors that have no reputation to uphold.
Threat actors agreed to the negotiated demand of $185,000 for the decryptor, and CIR facilitated payment once threat actors proved it worked. But instead of upholding their end of the deal, threat actors claimed that their developer team upped the price to $300,000.
CIR refused to send any additional funds unless the threat actors provided proof that they could decrypt more files. Unsurprisingly, they couldn’t. CIR suspected threat actors accidentally deleted the decryptor, ceased further negotiations, and worked with the impacted business to restore its lost data.
Prevention over reaction with managed detection and response (MDR)
Once sensitive data is in the hands of threat actors, no one knows for sure where or how it will be used. The best option is catching suspicious activity before threat actors have an opportunity to exfiltrate and/or encrypt data.
MDR continuously monitors businesses’ network activity and uses behavioral analytics to identify real-time suspicious patterns as early as possible.
Efforts to execute a ransomware attack are detected and actioned upon immediately. If a ransomware indicator is detected, MDR triggers an automated response, enabling security teams to contain the threat before it spreads.
Ransomware demands in physical mailboxes
Several Coalition policyholders were among a cohort of executives that received ransom notes claiming to be from the BianLian ransomware gang.
Unlike standard indicators of ransomware — a pop-up message paired with inaccessible files or a locked computer — organizations were notified exclusively by snail mail. The letters claimed that the recipient’s IT network was compromised and that thousands of files had been exfiltrated. Despite the unorthodox delivery, the letters had the hallmarks of a traditional (digital) ransom note:
Sense of urgency: Envelopes were stamped: “Time Sensitive Read Immediately.” Contents inside featured threat actors demanding payment within 10 days of receipt or sensitive data would be published on leak sites and distributed to business partners, customers, and other parties.
Ransom demand: The letters included a QR code linked to a Bitcoin wallet, requesting payments ranging from $250,000 and $500,000.
Threatening language: Threat actors urged businesses not to contact the police or FBI, claiming law enforcement officers “don’t care what monetary losses you or your company will suffer.”
The FBI released an announcement regarding the letters, stating they had not identified any connection behind the senders and BianLian. Security researchers quickly determined that the letters and claims of data compromise were illegitimate. The ransom note was written in near-perfect English and featured complex sentence structure, a contrast to notes previously observed from BianLian. Additionally, the Bitcoin wallets had only been recently generated prior to the send with no ties to active ransomware groups.
None of the impacted organizations reported ransomware activity after receiving the letters, further indicating that this was nothing more than a scam intended to prey on stressed and fearful executives.
If an employee ever receives a ransom note, whether through a digital notification, phone call, or by mail, the threat should be taken seriously.
When in doubt, contact your cyber insurance provider
Threat actors are opportunistic. What some may lack in technical acumen, they make up for in an ability to exploit human psychology through social engineering. By conveying a sense of urgency, threat actors encourage victims to make hasty decisions rather than think critically.
If an employee ever receives a ransom note, whether through a digital notification, phone call, or by mail, the threat should be taken seriously.
Before making any decisions to communicate with threat actors or pay a ransom, businesses should notify their cyber insurance providers as soon as possible for guidance and further investigation.
Overcompensating with AI tools
Artificial intelligence is revolutionizing how businesses streamline tasks and increasing productivity across most industries, and the cyber crime ecosystem is no exception.
Threat actors are turning to AI tools to enhance phishing emails, code malware, and deploy convincing deepfakes.
AI-powered phishing attacks can be highly personalized and grammatically flawless, a contrast to the scams of the past, where messages were often riddled with signs that the sender was a non-native speaker deploying repeatable hoaxes. A common example: The CEO needs gift cards again!
But present-day AI is often only as good as the prompts provided. If threat actors lack the technical expertise to double-check that AI-produced malware works or confirm that the generated responses are factually correct, AI can only get them so far.
In recent ransomware negotiations, CIR forensic experts witnessed that a threat actor’s skill deficiencies can’t always be shielded by AI. In fact, poorly used AI may even delegitimize the threat.
A law firm was notified by email that threat actors had allegedly encrypted and stolen data from its systems. As communications between the business and threat actor continued, the threat actor became more frantic and pushy.
When responses from the business slowed, a shift happened and the threat actor’s language became more precise and complex. Unlike prior communications, which were no longer than a sentence or two, later messages were well-crafted and had multiple paragraphs.
The threat actor leveraged a clearly AI-generated response, citing enforcement actions from the US Securities and Exchange Commission setting forth legal requirements on a business for reporting a ransom attack.
But this rule applies to public entities and not the private law firm at hand.
Whether the use of AI is obvious or not, one thing remains true: Threat actors are trying to deceive us.
The inaccuracy led CIR to conclude that the threat actor was inexperienced and likely working independently, and eventually determined that they hadn’t accessed any particularly sensitive data. The law firm chose not to pay the ransom and with CIR’s help, was able to restore their lost data from backups.
Security awareness training empowers employees to identify red flags
Whether the use of AI is obvious or not, one thing remains true: Threat actors are trying to deceive us.
So even as scams get better, many of the underlying red flags won’t change. Would a trusted vendor really demand immediate action? Would a bank ask for personally identifiable information over text?
Employees can learn to catch the same common tactics used by threat actors for profit with security awareness training —and 80% of businesses say employee education has reduced phishing susceptibility.
Coalition Security™ can help businesses fight back
No matter if it's a notable ransomware gang or an innovative lone wolf, threat actors pose a significant risk to your business. Having the right partner on your side can make all the difference in staying ahead of emerging cyber threats.
Coalition offers a wide range of security products and services that can help before, during, and after an attack. To learn more about Coalition Security, click here to schedule a free consultation with our team.
