Beneath the Surface: Unveiling the Power of Cyber Threat Actor Engagement

Written By Shane Bell

What if there was critical intelligence beneath the surface that could be extracted, but you didn’t know it was available?  

Hidden in plain sight of the cybercrime ecosystem, cyber threat actors continue to thrive, leveraging new and emerging vulnerabilities to achieve their goals. When we talk about beneath the surface in the context of cyber threat actors, it’s about peeling back the layers of their operations through strategic communication to uncover actionable insights.  

Engaging these adversaries, proactively, such as tracking Initial Access Brokers (IABs) to disrupt their supply chain, or reactively, as in negotiating with Ransomware Operators to mitigate damage, transforms hidden data into a powerful tool. It enables organisations to anticipate threats, strengthen defences, and outmanoeuvre attackers in the evolving cybercrime landscape.  

 NSB Analysis Note: Before engaging adversaries, organisations must implement specific operational measures   beyond the scope of this blog to ensure safety and compliance. These measures include robust legal, technical, and ethical safeguards to mitigate risks inherent in direct adversary interaction.  

Ransomware Negotiation: Peeling Back the Layers of Cyber Extortion  

Ransomware is a malicious software attack where cybercriminals encrypt an organisation’s data or lock critical systems, demanding payment, typically in cryptocurrency, for a decryption key to restore access.  

Tried and tested for several years, engaging with ransomware operators, especially when executed strategically, reveals insights into their: 

  • Tactics 

  • Motivations and; 

  • Vulnerabilities

Specifically, specialist negotiation firms, experienced in cybercrime communication and backed by technical expertise, can uncover details such as:  

  • Proof-of-Attack: Evidence like file-listing or sample encrypted files, verifying the breach’s scope and authenticity, which helps assess the threat’s severity. Additionally, by leveraging proof-of-attack evidence, negotiators can challenge inflated ransom demands, often reducing payments by demonstrating limited impact or data value.  

  • Ransomware Strain: Identifying the malware variant (e.g., LockBit, RansomHub), which reveals the attacker’s tactics, techniques and procedures (TTPs). This could also allow technical teams to exploit known vulnerabilities, such as weak encryption in certain variants, to restore systems without paying a ransom.  

  • Payment Processes: Details on cryptocurrency wallets or payment demands, exposing financial trails that can disrupt the attacker’s operations.  

  • Communication Patterns: Analysing the attacker’s language, timing, or negotiation style, which can indicate their sophistication, location, or group affiliation. Communication patterns can also reveal the attacker’s pressure tactics or inexperience, allowing negotiators to delay payments, sometimes for weeks, buying time to deploy backups or decryption tools.  

  • Exfiltrated Data Samples: Exfiltrated data samples inform containment strategies, such as isolating compromised systems to prevent leaks.  

  • Infrastructure Clues: Uncovering details about command-and-control servers or phishing domains, which can be blocked or disrupted to weaken the attack.  

These actions, executed within the legal, technical, and ethical safeguards, transform negotiation into a powerful intelligence-gathering tool, peeling back the layers of cyber extortion to mitigate damage and inform future defences. Intelligence-driven outcomes not only neutralise immediate threats but also feed threat intelligence platforms, enabling proactive monitoring of dark web forums to predict and prevent future attacks, turning negotiation into a cornerstone of strategic cybersecurity.

Proactive Engagement: Disrupting the Supply Chain  

Proactive engagement hinges on extracting critical intelligence from the cybercrime supply chain’s key players. For example, Initial Access Brokers and Data Brokers to disrupt attacks before they materialise. IABs sell stolen credentials or exploits for network access on dark web markets, while Data Brokers trade compromised datasets, such as customer records or employee PII, fuelling extortion or phishing campaigns.  

By leveraging open-source intelligence (OSINT), dark web monitoring, or undercover operations, security teams can pre-empt threats, transforming hidden intelligence into attack prevention. Specifically, proactive information extraction can yield the following critical intelligence points:  

  • Compromised Credentials: Identifying stolen login details (e.g., Users, VPNs or RDP access) offered by IABs enables organisations to revoke or reset credentials, blocking unauthorised access before attacks begin.  

  • Exploit Listings: Uncovering unpatched vulnerabilities or zero-day exploits advertised on dark web forums allows defenders to patch systems, preventing exploitation by RaaS affiliates.  

  • Stolen Data Inventories: Obtaining samples of datasets traded by Data Brokers reveals compromised information, guiding containment efforts to prevent phishing or extortion campaigns.   

  • Affiliate Networks: Mapping RaaS affiliate relationships through forum chatter exposes operational hierarchies and dependencies, preventing or disrupting on-going and future operations.  

  • Infrastructure Endpoints: Identifying attacker infrastructure, such as phishing domains or hosting servers, facilitates blocking or takedown operations, crippling the supply chain’s operational backbone.   

By neutralising compromised credentials, patching exploits from dark web listings and mapping affiliate networks, this enables defenders to proactively dismantle the cybercrime supply chain, blocking attacks and exposing illicit networks. Continuously sharing intelligence, such as stolen credentials or affiliate mappings with law enforcement can amplify disruption. This collaboration strengthens global efforts to dismantle cybercrime networks, leveraging extracted data to fuel ongoing investigations.  

Ethical Challenges   

Engaging cyber threat actors, whether reactively or proactively, raises ethical dilemmas that lurk beneath the surface of cybersecurity. Negotiating with ransomware operators often involves weighing the immediate need to restore critical systems against the risk of funding further criminal activity. Paying a ransom may save business operations but it inherently fuels the cybercrime ecosystem.  

Posing as buyers on dark web markets to extract intelligence, treads a fine line: while disrupting supply chains, it risks legitimising illicit platforms or provoking retaliation if exposed. These actions, even when conducted within the legal, technical, and ethical safeguards outlined earlier, demand careful consideration of unintended consequences, including potential harm to victims if data leaks escalate.  

Engaging threat actors reveals intelligence that shifts the balance of power. Extracting ransomware strains or compromised credentials transforms covert data into tools for prevention and disruption. Yet, ethical dilemmas, from enabling crime to risking privacy, demand considered navigation. Organisations can move beyond defensive reactions to pre-emptive control, building resilient defences and dismantling cybercrime’s foundations, or engaging with third-party providers to amplify expertise and intelligence-sharing. This intelligence-driven approach charts a course for a more secure digital landscape, empowered by vigilance, collaboration, and specialised support.  

We’ve prepared the Ransomware Q2 2025 Report, packed with frontline insights, to help you understand today’s threats and prepare for what’s next. 

Shane Bell
Previous

You have a cyber incident, now what? Key considerations from a forensics perspective
Next

Why Human-Led Threat Intelligence Still Matters in a World of Artificial Intelligence