That day started as usual. Going through the analyzed feed submitted by the intelligence team, going over the news of the most recent cyber-attacks, and then it came. It was a call from a distressed corporate Chief Information Officer (CIO) stating that they were hit by ransomware and asking for help. As we went through the protocol 20 or so question debrief to build an initial understanding of the attack and its consequences, it was clear that the IT environments were encrypted and claims of a  significant data breach were made by the threat actor.

The peculiar thing was that there was no ‘Ransom note’, a pretty much expected normal in today’s ransomware culture. The threats were received by email addressed to four specific C-level stakeholders.

After receiving the threat email from the CIO and running a quick analysis, it was clear that the content of the email was about 95% plagiarized from a ransom note of a well-known prolific ransomware group, one of the top three of the ransomware threat landscape. Actually, it was pretty much a verbatim copy except the return contacts, inviting the victim to check-in with the threat actor. Those directed the victim to an email address with one of the “privacy” email services, which were up to a few years ago the ‘go-to’ of ransomware threat actors. Up to a few years ago, but not anymore. Today most ransomware groups negotiate on proprietary, dark-net based chat platforms, where victims identify themselves by a dedicated ID string. Email is only used as a backup to this communication platform. The email also lacked a signature by the threat actor, something that is also the normal of ransomware these days. Most of the ransomware groups boldly promote their brand, some even claim that their brand does the work of making the victim pay.

This one was different.

An initial understanding of the Incident Response (IR) team was that the threat actor deployed a malware strain, known to be developed by a no-longer active group, but since leaked on the dark-net and widely available today. The strain had 85% similarity to the original but with some modifications. The threat actor achieved persistence in the victims environments and was able to encrypt and steal data.

As knowing thy enemy is a crucial need in opposing a ransomware attack, allowing the victim to analyze and manage risks, weigh the relative capabilities and reliability of the assailant, and assist in drafting the roadmap to incident resolution, we recommended the client to initiate a dialogue with the threat actor. A professional cyber negotiator was assigned to run the communications process. As several emails were exchanged we were further convinced our opponent was not part of any known ransomware organization. Some maneuvers the negotiator made helped us profile the threat actor as a lone-wolf technologist with prior intimate knowledge of the victim and no prior experience in the realm of ransomware.

Employing negotiations techniques, we were able to leverage the time factor, allowing the IR team to contain the malware and locate a detached backup not affected by the attack. In parallel, the intelligence picture was constantly updated and enriched by the ongoing negotiations adding lines to the threat actor’s profile.

An understanding was developed that our assailant was likely to be a former contractor, leaving with what he believed was an injustice done to him. So, he decided to attack.

The rest is history. By a multidisciplinary effort, the attack was contained, minimizing both the direct and indirect damage. The crisis was averted, but the questions remained. Was this a singular event or are ransomware copycats a trend? Can a lone-wolf threat actor launch a ransomware attack? Why do they pose as seasoned ransomware groups? And why is this important? At CIPTEAM, we regularly encounter a wide range of ransomware attacks, some from organized threat groups, others from opportunistic actors leveraging stolen tools and reputations. While ransomware copycats are not yet a dominant trend, we have seen cases where lone-wolf attackers, often disgruntled current or former insiders successfully deploy ransomware, sometimes mimicking well-known groups to instill fear and gain leverage. This tactic works because victims often assume they are dealing with highly capable criminal organizations, affecting how they respond to the threat. Understanding the true nature of an attack is critical for managing risk, containing the damage, and formulating an effective response. Organizations must be prepared to act swiftly and strategically. Our team specializes in ransomware response, negotiation, and cyber-crisis management, ensuring businesses can navigate these crises with confidence.