One of the most cynical aspects of modern ransomware attacks is how cybercriminals try to position themselves as helpful security consultants. After encrypting your data and demanding payment, these criminals often sweeten their extortion attempts by offering "personalized" security advice to prevent future attacks. But how genuine are these recommendations, and should organizations take them seriously?
The Security Consultant Facade
As part of their negotiation tactics, ransomware groups frequently provide what appears to be tailored security guidance alongside their decryption tools. These recommendations often sound surprisingly legitimate and comprehensive. In some documented cases, attackers have gone remarkably deep into technical details, advising system administrators to work with browsers in private mode, avoid saving passwords in browsers, refrain from keeping files with password lists, and operate within encrypted virtual machine disk images.
Some groups have even provided sophisticated architectural recommendations, such as configuring firewalls so administrator computers don't have direct access to critical servers but instead route through jump servers. They've suggested creating long, complex passwords for administrative accounts where part of the password is known only to the IT department and another part only to security teams. Additional advice has included creating and destroying ephemeral administrative accounts for daily tasks.
The Reality Behind the Recommendations
While these suggestions might sound impressive and technically sound, the reality is far less reassuring. The security advice provided by ransomware groups is predominantly copy-and-paste content with minimal personalization effort. Organizations shouldn't expect a genuine security audit or even a complete description of the tactics, techniques, and procedures (TTPs) used during their specific attack.
Groups like Akira and its predecessor Conti have been observed using virtually identical recommendations across different negotiations, with only marginal customization related to the initial access method used in each specific case.
The personalization is superficial at best - perhaps mentioning the specific vulnerability or entry point exploited, but little beyond that.
Why This Matters for Security Teams
This pattern reveals several important insights for cybersecurity professionals:
Don't rely on attacker guidance
While some recommendations might be technically valid, they represent generic best practices rather than insights specific to your environment's vulnerabilities. Your security team likely already knows these fundamentals.
The advice serves their interests
These recommendations help attackers maintain their "professional" image and potentially make future attacks more challenging, but they're not comprehensive security assessments tailored to your organization's specific risk profile.
Focus on comprehensive security reviews
Instead of depending on criminal "advice," organizations should conduct thorough internal security audits or engage legitimate security consultants who can provide detailed, environment-specific recommendations without the ulterior motive of maintaining criminal credibility.
Moving Beyond Criminal "Consulting"
The barely personalized nature of ransomware security advice underscores a crucial point: these criminals are running a business model, not providing genuine security consulting services. Their recommendations serve to legitimize their operations and potentially make their future criminal endeavors more profitable by encouraging better security practices that they can then find new ways to circumvent.
Organizations that have experienced ransomware attacks should treat any criminal-provided advice with extreme skepticism. While some suggestions might align with security best practices, they shouldn't be considered comprehensive or sufficient for preventing future incidents.
The focus should remain on working with legitimate security professionals who can provide thorough, unbiased assessments of your security posture - assessments that don't come with the caveat of supporting criminal enterprises or maintaining the illusion that ransomware operators are anything other than sophisticated criminals exploiting organizational vulnerabilities for profit.
In the end, the best security advice comes from sources without a vested interest in your continued vulnerability to cyberattacks.