Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
4 min read

Ransomware Read Me First: Don't Get Scammed... Twice

Jan 11, 2021 8:45:00 AM

You were hit with ransomware. You panic. You search “ransomware response” or “ransomware repair” and among the top results is a link that reads “Recover Encrypted Files - Guaranteed.” Sounds like you found the solution! None of us wants to pay the ransomware operators. If there is a legitimate solution that avoids sending tens of thousands (if not millions) of dollars via cryptocurrency to threat actors overseas, it’s worth paying for.

Caveat Emptor... you know that old saying: if it looks too good to be true…

GroupSense assists in ransomware response and negotiation. As a result, we have seen some dirty tricks. Ransomware gangs have upped their game, employed new clever tactics, and been successful in exfiltrating not just organizational data, but millions of US dollars. Since many ransomware operators use templatized and playbook tactics, we are seldom caught off guard. We occasionally see the n00b operator who flails around messily or the lone operator who has a sense of entitlement: “...I worked hard on this!...”, but for the most part, this is a business for professional ransomware actors, and we treat each engagement as such.


A couple of weeks ago we ran into a new level of exploitation; one that we believe may become more prevalent - and it starts with the duckduckgo search above. (Use duckduckgo, folks.) Look, we don’t want to pay the operators any more than you or the victims do. The idea of paying a legitimate cybersecurity company with the technology and means to decrypt the ransomware-affected files is appealing. The victim does not have to go on some sketchy dark web site, and they don’t have to put their financial accounts at risk by transferring large sums of money to a digital wallet that will be used to pay known criminals. (The SEC doesn’t like this.) Ideally, you can keep this transaction right the good ol’ USA! Sounds great.  

But how does a company guarantee that they can decrypt your files if they haven't seen them yet? We visited one of these companies’ sites and there was a video testimonial from a public figure stating “...and once we have cleaned up your files, we will make sure it NEVER happens again.” If you have operated in the cybersecurity industry for any meaningful amount of time, you know that superlatives aren’t a great idea. 

In the case that arose a couple of weeks ago, the victim contacted one of these companies claiming to be able to decrypt the ransomware files. The company asked for a $2,500 retainer, two sample encrypted files, and the ransomware note. A couple of days later, they returned the two files, successfully decrypted. When the victim asked how much they would charge to decrypt the remaining files, the company fell silent for days.

Before We Continue, here are a few details that are important to know.

When you are hit with ransomware, the operators will often leave a text file on your systems.  That text file explains the situation: “We have locked your files; you must contact us to get them back.” The note will often contain a dark web site address that is specific to your infection, urging you to visit that site. Depending on the operator, these sites can vary. In many cases, the site has a few fundamental functions. First, it has a clock. The clock starts when you visit the site and counts down to zero. Then, there is a threat associated with that clock, “You have XX hours/days to make payment. If you do not make a payment by the time the clock reaches zero, we will double the price.” Sometimes they make threats about dumping critical information to embarrass your company all at once or on a cadence: “We will release 1% of your critical data publicly until you pay…” and so on. The second function is a tutorial and FAQ on how to make the digital currency transaction. Third, there is a chat function so that you may ask the threat actors questions, negotiate, and generally communicate with your attackers. Finally, and here is the kicker, there is a “proof of life” section where you can upload up to….wait for it…..two files to be decrypted for free to prove that the ransomware gang has the necessary decryption keys to decrypt your files. Maybe you see where we are going here…  


Back to the victim. We engaged with the victim, went through our process to onboard, and agreed to engage with the threat actors. But, alas, when our analyst team visited the ransomware dark-net website, the timer had been going for days...two files had been uploaded, and someone had engaged in a negotiation with the threat actors on the site’s chat feature without the victim’s knowledge or consent. We retrieved the transcript of that chat and, after reviewing it, found the negotiation to have taken a negative turn culminating in a hard position from the threat actor, demanding a large sum to decrypt the victim’s files. Meanwhile, the company that claimed to be able to decrypt the files contacted the victim with a new proposal. They claimed they could decrypt the customer's files for a price $80,000 higher than what was negotiated on the ransomware operator’s dark-net site. The victim, a small business, could not afford either price and because the negotiation was executed so poorly, they were left in a bind. 

We worked with the client on their post-breach efforts, monitoring for data exfiltration and release, and identity protection for its staff and executives. All best practices in the case of a ransomware incident.

Ironically, our team had seen warnings of this kind of scam in previous engagements, from the threat actors themselves. In one case, a ransomware group posted warnings about companies pretending to decrypt the files while simply having the ransomware group do so, then marking up the price. It's almost worth laughing about… almost.

How to Respond in the event you need to deal with a ransomware attack.

If you are hit with ransomware, reach out to a reputable incident response firm or breach specialist from your external counsel. Both will have worked with a trustworthy ransomware response company, like GroupSense, and will be able to make introductions. Also consider downloading this ransomware negotiation guide. Save your duckduckgo searches for pictures of cats or something.

Topics: Blog Ransomware

Written by Editorial Team