Executive Summary
__________
Ransomware attacks continue to evolve in sophistication, disrupting operations and commanding the urgent attention of regulators, law enforcement and government agencies. Organizations victimized in these incidents now face not only the immediate operational and financial impact, but also intense regulatory scrutiny — particularly when negotiating with threat actors or considering ransom payments.
Even with comprehensive screening by specialized cybersecurity vendors, organizations remain exposed to the risk of subsequent regulatory investigations if they make payments to entities that turn out to be the subject of sanctions. Recent enforcement actions, such as the U.S. Department of Justice’s (DOJ’s) indictment of vendors and payment platforms, underscore that all parties involved in the response process may be subject to rigorous examination.
Regulators are increasingly demanding access to internal records related to incident response, ransom negotiations and payment decisions, so it is essential that organizations responding to a ransom attack retain legal counsel experienced with security breaches and use vetted and trusted external vendors. Key decisions, actions and investigations must also be carefully documented with the assistance of counsel with an eye to future scrutiny and, to the degree possible, to bring them within attorney-client privilege.
Current Key Trends and Threat Actor Groups
Ransomware attacks continue to be at the forefront of cyber threats, with several key trends:
- Attackers now routinely employ triple extortion tactics that combine data encryption and exfiltration (theft) with additional pressure such as distributed denial-of-service attacks and harassment of the victim’s employees or customers.
- The rise of “ransomware-as-a-service” — where criminals pay to launch ransomware attacks using code or malware created by other developers — has made ransomware more accessible and attacks harder to trace.
- The use of artificial intelligence tools allows even inexperienced threat actors to identify sensitive material and tailor extortion demands, increasing both regulatory and reputational risks for businesses.
Different threat actor groups have different modus operandi and exploit various vulnerabilities and other sophisticated tooling and techniques to undertake attacks. While law enforcement actions have disrupted some major ransomware groups (e.g., LockBit), new and rebranded entities have quickly filled the void, based on threat intelligence reporting from leading cybersecurity intelligence firms. Some of the most notable groups include:
- ShinyHunters: Responsible for a rising number of large-scale data theft and extortion intrusions, in particular by conducting voice phishing (vishing) campaigns to gain employees’ credentials and access organizations’ systems. The group has also enrolled multifactor authentication on devices it controls and has exfiltrated data from software-as-a-service platforms such as Google Workspace, Salesforce and DocuSign. It follows these moves with aggressive and intimidating extortion tactics.
- CL0P: Exploits zero-day vulnerabilities (software vulnerabilities exploited immediately after software is released) in widely used tools and applications and is considered by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to be one of the largest phishing distributors worldwide.
- Akira: Employs multi-vector extortion, including encryption, exfiltration and pressure tactics. According to U.S. government guidance, Akira is also known for spearphishing (highly personalized attacks against specific individuals/companies) and exploiting external-facing services.
- Interlock: Targets diverse sectors, including critical infrastructure, by compromising legitimate websites and conducting social engineering attacks. Attribution of these incidents can be challenging as Interlock’s emerging status means global threat intelligence on the group is more limited.
Responding to a Ransomware Attack
An urgent, coordinated response is critical to containing a ransomware attack, preserving evidence and minimizing legal and operational risks. Upon detection of an incident, organizations should immediately isolate affected systems and networks to prevent further spread and engage an incident response team under attorney-client privilege to ensure a coordinated and legally protected response. Key thematic concerns that can drive success or failure of a response process are:
Vetting Vendors
There has recently been a considerable increase in governmental scrutiny of individuals and vendors involved in each step of the ransomware attack response process. For example, in December 2025, the DOJ announced it had worked on an international coordinated takedown of an online cryptocurrency exchange and payment processing vendor which laundered proceeds of cybercrime. The DOJ also recently charged two employees of a large ransom payment negotiations vendor with computer hacking and extortion related to ransomware attacks against several U.S.-based entities.
Therefore, it is crucial that businesses engage legal counsel at the outset of the incident response process and leverage the support of counsel to ensure external vendors are properly vetted. All vendor engagement and due diligence processes should be robust and well-documented.
Negotiation and Communication With Threat Actors
Payment of a ransom does not eliminate regulatory, disclosure or litigation risk. The incident response may be subject to external scrutiny later.
It is essential to conduct thorough due diligence on the suspected threat actor to avoid violating international sanctions laws. For example, the U.S. Office of Foreign Assets Control imposes a strict liability standard for payments to sanctioned entities, so even unintentional payments to sanctioned entities can result in significant civil penalties.
In light of this, it is critical to engage legal counsel and experienced, vetted incident response professionals who can help identify potential sanctions risks, evaluate the fact-specific benefits and risks of engagement, and ensure appropriate engagement by senior executives and the board.
However, even if specialist ransom negotiation and payment vendors are retained under privilege to provide expert advice, an organization’s engagement of those vendors, as well as its threat actor negotiation strategy, may be subsequently analyzed by regulators or law enforcement, and can ultimately lead to shareholder litigation.
Utilizing Privilege
Organizations responding to an incident should work closely with legal counsel to ensure that specialist advisers can be engaged quickly via counsel so their work is privileged.
As scrutiny into ransom negotiations and payments is rising, legal counsel should be consulted on all elements of an incident response process. Continuous involvement of counsel will bolster the application of privilege over key decisions, communications and incident-related documentation.
Board-Level Escalations
Incident escalation protocols require forethought and thorough planning. They should be clearly documented, prepared with guidance from legal counsel and should specify when and how to involve senior leadership and the board of directors in an incident response process.
If board-level escalation pathways are not properly articulated, escalation processes and individual responsibilities for aspects of the incident response may be unclear, which could cause heightened regulatory scrutiny of security policies and procedures after the fact.
Regulatory Requirements
Regulators are becoming increasingly attuned to ransom attacks, and with the growing number of cybersecurity regulations globally, multinational businesses face more overlapping, parallel cybersecurity obligations, often imposing compressed timelines.
For example, in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), due to be finalized this year, will require entities across critical infrastructure sectors to report “covered cyber incidents” to CISA within 72 hours, and any ransomware payments within 24 hours.
In the E.U., two significant additions to the regulatory response framework are the Digital Operational Resilience Act and the NIS 2 Directive, both of which implement stringent incident notification requirements and make senior management of regulated entities personally liable for compliance.
Australian laws already require organizations to report ransomware and cyber extortion payments within 72 hours of making a payment. Similar proposals by the U.K. government are currently under consultation, including a ban on ransomware payments for public sector bodies and critical national infrastructure entities, and a mandatory reporting regime for ransomware incidents. There are also extensive data incident notification obligations in the U.K.
Key Actions
When responding to a ransom attack, organizations need to consider many different, often competing, priorities in a fast-paced and highly stressful environment. The following proactive steps will reduce legal exposure and mitigate regulatory risks:
- Update incident response plans and related policy documents.
- Conduct privileged tabletop exercises with legal counsel to practice responding to cyber incidents.
- Determine and practice incident escalation pathways.
- Retain incident response vendors in advance under privilege.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.