top of page

CyberCare by STORM Guidance

Ransom negotiation, sanctions checks, settlement and tracing

A comprehensive threat actor engagement service

Available as part of our incident response retainer or as a standalone service

Acting swiftly and strategically can make all the difference

Our approach is scientific, structured, collaborative, fully confidential, and measured.

With over 20 years of ransom negotiation experience, we appreciate the sensitivities involved with ransom negotiation and offer a gratis, no obligation strategic consultation prior to any assignment.

STORM's threat actor engagement service enables businesses and their appointed professional advisors to make informed decisions about the impact, obligations, recovery and other options, to manage risk optimally in the aftermath of a cyber incident involving an extortion demand.

coordination-support-blue.png

Coordination support

Assimilation of incident scenario and strategy consultation with ongoing situational updates.

ta-intel-blue.png

Threat intelligence

Briefing intel on the threat actors/criminal group and MO. Dark web monitoring of breached data.

sanctions-checks.png

Sanctions checks

Analysis of key threat actor and crypto wallet identifiers with checks in relevant jurisdictions.

tae-blue.png

Ransom negotiation

Controlled and secure engagement with threat actors following agreed strategy and pursuance of target objectives.

settlement-blue.png

Ransom settlement

Cryptocurrency payments with financial accounting and insurer coordination, as well as blockchain analysis and tracing.

system-recovery-blue.png

Data recovery

Expert advice and support to ensure critical systems and data are rapidly returned to business-as-usual.

STORM's threat actor engagement service highlights

coordination-support-blue.png

Engagement & coordination

  • Working closely with legal experts and digital investigations specialists

  • Free initial strategy consultation without obligation to continue

  • In-brief with management and agreeing target objectives

  • Establishing and using credible negotiation personas (legends)

  • Initiating timely and considered, communications with threat actors over anonymous and secure channels

ta-intel-blue.png

Threat intelligence

  • Adjusting negotiation strategy to identified criminal group

  • Cross-match gathered intelligence to digital investigation results including knowledge of:

    • Breached datasets

    • Root causes

    • Positively identifying initial points of compromise and enabling remedial protection

  • Dark web monitoring for breached data (6 months)

BREACHED-DATA.png

Breached data analysis

  • Using our AI-driven CyberDiscover platform

  • Extremely rapid, low-cost analysis for the identification of sensitive PII

  • Analysis performed in specified region complying with data protection requirements

  • Swift turnaround time with results typically generated in a few days

  • Enables decisions relating to the sensitivity of stolen data

threat actor engagement.png

Ransom negotiation

Progressing to obtain any combination of required objectives:

  • Obtaining Proof of Life (of stolen data)

  • Gathering intelligence on the Threat Actors and Initial Points-of-Compromise

  • Obtaining Proof of Decryption capability

  • Introducing controlled delays

  • Obtaining assurance of data deletion

  • Negotiating an agreed settlement

inforcement-liason.png

Law enforcement liaison

With full authorisation of client:

  • Liaison with law enforcement

    • National and/or international

  • Coordination of any actions:

    • Monitoring, disruption/delays, intelligence, recovery

  • Separate LE engagement report

sanctions-checks.png

Sanctions checks

Our specialists provide:

  • Sanctions checks in all relevant jurisdictions

  • Immediate alerting to positive hits

    • Named and associative

  • Complete report of findings

settlement-blue.png

Ransom settlement

Preparing and settling the ransom demand:

  • Receipt of client funds for the ransom demand

  • Conversion from fiat into designated cryptocurrency

  • Test payment and verification of receipt

  • Completion of payment

  • Separate settlement report

it systems recovery.png

Advice on data recovery

Working with IT specialists to:

  • Ensuring multi-key ransomware encryption methods are fully understood and factored into negotiation

  • Advising to ensure re-infection risk is reduced

  • Assisting with coordinating efficient recovery

  • Advising on fast decryption techniques

  • Testing & validation

incident operations.png

Ransom payment tracing

  • Using advanced analysis to trace ransom settlement payments

  • Both blockchain and fiat trace capabilities and liaison with law enforcement

  • Overcoming TA countermeasures such as mixing

  • Supporting client-appointed advisors with freezing orders

  • Assisting in settlement recovery efforts

Our comprehensive threat actor engagement service

As a UK NCSC CIR L2 Assured Service Provider, STORM Guidance operate to the very highest standards of cyber incident response.

Contact the CyberCare team

If you would prefer to speak to the team, give us a call:

UK/Europe: +44-203-693-7480

Africa: +230-434-1277

USA: +1-703-232-9015

Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.

Threat Actor Negotiation Uncovered

Behind the Ransomware Curtain

Take a closer look at ransomware negotiations with STORM’s unique expertise, including a case study on the Royal Mail attack and insights from a seasoned negotiator.

ECON-SECRETS-NEGOTIATOR.jpg

The Economist - Secrets of a ransomware negotiator

A rare behind-the-scenes look at the strategies and expertise of STORM’s own negotiator.

RM-MAILBOX-ANALYSIS.jpg

Royal Mail Ransomware Negotiation Analysis

STORM’s in-depth analysis of leaked threat actor transcripts following the Royal Mail attack.

IB.jpg

What People Don’t Know About Negotiating a Cyber Attack Ransom

An in-depth exploration of the complexities involved in ransomware negotiations.

register.jpg

Confessions of a ransomware negotiator

The delicate art of negotiating with ransomware attackers, featuring insights from STORM’s own Nick Shah.

We respond to any cyber or fraud incident, globally

The team at STORM have considerable experience across the field.

Learn more about some of the more common incident types we respond to.

Our distinctive approach to ransom negotiation

When experience matters

As authors of the UN Handbook on Ransom Negotiation, we have formulated a set of typical objectives which make it easy for our clients to understand and be confident in the process.

introduce-delays-blue.png

Introducing controlled delays

ta-intel-blue.png

Obtaining attack intelligence

decryption-capability-blue.png

Obtaining proof of decryption

proof-of-life-blue.png

Obtaining proof of life of stolen data

data-deletion-blue.png

Assurance of deletion of stolen data

settlement-blue.png

Negotiating agreed settlement

bottom of page