In Crisis or In Control? Evolving Threat Actor Tactics Illustrate the Need for Clear Cybersecurity Communications Strategies

Allie Bohan, Tess Sams, Jonah Pitkowsky and Ana Wilmer co-authored this article.

Picture this: you’re a senior executive whose organization is managing a crippling ransomware attack. For several days, your legal, IT, communications and executive teams have been working around the clock to restore encrypted systems and engage with stakeholders concerned about business continuity and the safety of data shared between organizations.

Acting at the direction of your board, you have chosen not to pay the threat actor’s ransom demand, opting instead to restore systems from backups — an often lengthy endeavor — and face the prospect of a data leak involving information exfiltrated from your corporate network.

The threat actor, unwilling to accept your decision, turns up the heat. They send a bouquet of flowers, accompanied by a chilling note resembling a condolence letter, to the home of your CEO. The note indicates, in no uncertain terms, that extortion tactics will continue to escalate if your company does not pay the ransom. Having thought the worst was behind you, you are unprepared for this escalation and do not have a communications strategy to respond if this development becomes public or the escalations continue. In this critical moment, you begin to lose control of the narrative — and possibly the entire situation. Making matters worse, your CEO’s family is now part of the equation.

Such a multifaceted threat, where a bad actor is instilling fear and coercion beyond the digital realm, complicates a cybersecurity incident response. This type of scenario has become more common as bad actors continue to innovate and utilize aggressive tactics to pursue ransom payment.

Organizations that are unprepared for such escalations and do not act rapidly to adapt their communications strategy may quickly become overwhelmed, responding to increasingly unpredictable behavior from online criminals and not appearing in control. Thorough scenario planning and staying abreast of the evolving cybersecurity threat landscape are essential to help organizations respond effectively and enhance their readiness for potential escalations.

As threat actor behavior continues to evolve, communications professionals must ensure that their cybersecurity communications incident response strategy is adaptable to support these types of unforeseen developments.

The evolving cybersecurity threat landscape

Global cybercrime response costs are projected to reach nearly $11 trillion by 2025, and ransomware attacks in particular are on the rise across industries. At the same time, certain threat actor groups, such as BianLian and 8Base, are pivoting toward a pure data extortion business model, monetizing their attacks by exfiltrating data without employing encryption. Consequences of sensitive data leaks, including reputational damage and regulatory penalties, can exert significant pressure on victims to pay the ransom, even without the need to develop and deploy malware to a victim organization’s network.

In addition to the sheer volume of cybercrime, facilitated by the proliferation of ransomware-as-a-service (RaaS), factors reshaping the landscape include exploiting zero-day vulnerabilities en masse, supply chain attacks and capitalizing on cloud security vulnerabilities to infiltrate systems.

Alongside these factors, threat actors are employing increasingly aggressive communications tactics to pursue ransom payments, including forming strategic partnerships with cybersecurity industry reporters and pursuing legal avenues by filing complaints with the SEC as seen with AlphV (BlackCat).

Moreover, threat actors have resorted to threatening company executives, employees and their families in their homes, which can escalate to swatting concerns, a harassment technique that involves deceiving emergency services into dispatching a SWAT team to the target’s home. Additionally, they may contact employees after gaining access to employee directories or human resources files or inundate company executives with hundreds to thousands of messages within a short timeframe to pressure them into paying the ransom. In recent years, they have targeted companies and executives involved in M&A transactions with the intent to disrupt or sabotage deals.

These tactics underscore the need for organizations to be equipped to communicate as a first line of defense against evolving cybersecurity threats.

Developing a modern cybersecurity communications plan

Essential to comprehensive communications preparedness is regular refinement of the cyber crisis communications plan and ongoing training to ensure that members of the communications team are equipped with the latest knowledge and insights necessary to navigate the changing threat landscape.

While it is impossible to anticipate every scenario, establishing adaptable frameworks and practicing them with your team so that you can adapt and act quickly in a real-life crisis is crucial for timely narrative control and preserving stakeholder relationships when cybersecurity incidents arise. Scenario plans should contemplate a number of likely situations, informed by experts who see ransomware threat actors daily, and include a communications strategy and suggested messaging tailored to all key stakeholders.

Here are several factors to consider:

• Response time: Activating quickly with a rapid-response plan in a high-pressure cybersecurity crisis and during any threat actor escalations is a critical capability for the cybersecurity response team to possess and continuously improve upon. Robust escalation procedures and activation protocols are key for the relevant teams to immediately start considering and executing a communications strategy.
• Roles and responsibilities: Establishing a consistent understanding of team members’ roles and responsibilities, and their respective decision-making authority, during a cybersecurity crisis is necessary to reduce conflicting understandings and avoid costly, redundant activities. These should be driven by clear risk and severity assessments which mirror those in more technical documentation, in line with the organization’s priorities and business objectives.
• Messaging and rollout: Formalizing messaging and communications review, approval and distribution structures ahead of time can minimize deliberation time in these scenarios and allow all appropriate individuals in the organization to weigh in to ensure the communications messaging and strategy are appropriately vetted. Additionally, strategy and messaging should be adaptable and deployable, meaning that they can be lifted off the page and leveraged quickly.
• Risk assessment and horizon planning: Understanding your organization’s unique communications risks and tailoring your plans accordingly is a necessary activity to adapt to any escalations. Rigorous reviews of existing materials and procedures as well as in-depth interviews with relevant personnel help to understand both the formal and informal elements of an organization’s communications response plans.