Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
4 min read

Building a Ransomware Response Bench

May 12, 2022 10:30:00 AM

Old misconceptions of lone hackers sitting in dark basements are long gone and are replaced by the new wave of cybercrime-as-a-service models marking a new era. With operations like many other businesses, ransomware and other cybercrime gangs have a business structure, “customer” support, and an org chart. How can organizations communicate effectively with the threat actors that are attacking their systems with ransomware? 

If your organization is facing a ransomware attack or wants to prepare for what many cybersecurity professionals think is inevitable, a ransomware response team is vital. Putting together your team might feel daunting, but the right group of people can minimize the damage to your organization. GroupSense’s ransomware experts put together a primer on who should be on your ransomware response bench. 


Role: Tactical and Strategic
  • Often the first to identify symptoms of a potential ransomware incident
  • Usually IT, operations, or cybersecurity
  • Executive(s) who can iterate and make decisions against desired outcomes—best/worst-case scenarios
  • Authorize and coordinate financial transactions, especially if your organization will pay the ransom
  • Document how your organization discovered the attack, which operational areas were impacted, and how
  • Loop in required internal resources as appropriate (i.e., security office or CISO, CFO, communications or investor relations)
  • Identify who can authorize necessary third-party support and who will lead from the organization
  • Facilitate recovery efforts


Role: Tactical and Strategic
  • Provides additional context to data provided by the IR team—ideally provide complementary insights to inform decision-making along the course of negotiation, remediation, and recovery
  • Brings the ability to search dark web and TOR sites to see the extent of exposure
  • Provides critical information about the threat actor or threat actor groups
  • Informs your organization of who you are dealing with, how they operate, where they operate from, which tools and strategies are typically used, and how much they typically settle for
  • May be monitoring underground international forums for stolen intellectual property or customer data



Role: Strategic

  • Third-party cybersecurity experts have special skills in threat actor identification, profiling, negotiation, dark web monitoring
  • Threat actor negotiation is not an incident response function
  • Intermediary between you and the threat actor
  • Determine who you’re really dealing with an early on—group vs. individual, geography, intelligence on means, methods, and motivations
  • Communicate with executive stakeholders
  • Plan and execute negotiations aligned with your specific objectives and outcomes (e.g., budget, timeline, assets)
  • Advice on how to manage risk, individuals within the organization, and other related parties
  • Facilitate secure financial transaction


Role: Tactical
  • May be an internal security team or a third-party cybersecurity team
  • Focused on forensics, identification and containment, and recovery
  • Bring deep technical expertise in malware
  • Determine point/method of entry
  • Provide further insight into the scope of compromise—catalog system impacts, identify if data exfiltrated (stolen)


Role: Tactical
  • Administer and settle claims against your cyber insurance policy
  • Represents insurance interests to minimize financial risks associated with the situation
  • Observes proceedings and will advise as to their recommendations throughout
  • The trend is to pay some ransom to reduce delay and costs associated with prolonged data recovery and PR efforts

Together, your ransomware response team should establish clear lines of communication with executives, employees, and customers when appropriate. Because so much is on the line, it’s natural for stakeholders’ emotions to run high, but emotionality and anger have no place in the ransomware negotiation process. Reframe these negotiations for what they are: business negotiations.

In the roles laid out above, your team should focus on accomplishing key objectives:

  • More secure operations moving forward; don’t let this event paralyze your business.
  • Get control back by knowing the extent of the compromise, verifying you have stopped the bleeding, and recovering your data without severe harm to your customers and company.
  • Communicate frequently and honestly to build trust internally and externally.
  • Set clear expectations and outcomes you want to achieve to close this event out; it’s not only about the payment, and you can minimize unplanned costs.
  • If you decide to pay the ransom, determine how to pay without further harm; record what you learn and refine your ransomware response plan.

For more expert advice on minimizing damage to your organization in the event of a ransomware attack, download GroupSense’s 2022 Ransomware Negotiation Guide below.DOWNLOAD NOW

Topics: Blog Ransomware

Written by Editorial Team