HUMINT Challenge Series 🎯 THINK LIKE AN ADVERSARY #1 Real-world inspired scenario: A ransomware group just posted a new victim on their leak site. They claim: • 2TB of exfiltrated data • Full domain compromise • Public release in 5 days Your client is already panicking. Before escalation, you need to answer 3 questions: Is the data actually real? How you can collaborate? Is the operator credible? What you will do to be sure ? Is negotiation likely to work? Are you willing to negociate ? Initial findings: • Threat actor is new. • Only 1 forum posts total • 0 ransom payments verified via escrow • Claimed affiliations with a known RaaS ecosystem But something feels off... Key observations: 1️⃣ Their leak site infrastructure overlaps with previously abandoned phishing domains. 2️⃣ The published samples don’t match the claimed impact. The actor claims deep network compromise, yet the exposed files suggest only limited access. 3️⃣ The actor aggressively pushes for fast payment within hours, unusual for groups trying to maximize negotiation leverage Possible explanations: • They’re overstating the actual compromise? • The leaked data could be recycled or incomplete? • Could be a newer affiliate trying to build credibility fast? • Pressure tactics meant to force quick payment before verification? What would YOU investigate next? Full debrief next Saturday.