When Your Incident Response Partner Becomes Your Biggest Insider Threat

Three ransomware negotiators were recently indicted by the U.S. Department of Justice. Two have already pleaded guilty. The third was just charged this month. All three worked in incident response. All three were secretly working with the ALPHV/BlackCat ransomware group while negotiating on behalf of victims.

One of them was assigned by his employer, DigitalMint, to negotiate ransoms for the very companies he had helped attack. He fed confidential information from those negotiations back to the criminal group to maximise payouts. Across ten attacks in the indictment, six resulted in ransom payments totalling over $75 million.

That is not a hypothetical. That happened.

The Scheme

The three co-conspirators operated as ALPHV/BlackCat affiliates. Two worked as ransomware negotiators at DigitalMint, a Chicago-based incident response firm. The third was an incident response manager at Sygnia. They breached company networks, stole data, deployed ransomware. Then, when the victims called for help, DigitalMint assigned the negotiations to the same people who had launched the attacks.

The affiliates paid 20% of collected ransoms to the BlackCat administrators. The rest was split among themselves.

What made this possible was not sophisticated hacking. It was access. These were trusted professionals with legitimate reasons to be inside victim networks, to understand their financial reserves, and to know exactly how much pressure to apply.

Why This Is an Insider Risk Problem

Most insider risk programs focus on employees. Maybe contractors. The DigitalMint case shows why that scope is too narrow.

Incident response providers occupy a unique position. They arrive during maximum organisational vulnerability, when normal oversight is suspended and urgency overrides verification. Within 48 hours, an IR team knows your network architecture, your insurance coverage limits, your business continuity priorities, your internal decision-making dynamics. They know where the security gaps are, because you showed them.

That information package is exactly what an attacker needs to maximise damage. When the IR provider is the attacker, the victim never stood a chance.

Traditional insider risk thinking does not account for this. These were not disgruntled employees downloading files to a USB drive. These were external partners operating under crisis conditions, with privileged access that nobody questioned because questioning it would slow down recovery.

The Crisis Environment Makes It Worse

In a normal operating environment, organisations maintain oversight. Vendors go through procurement. Access is reviewed. Financial authorities have approval chains.

None of that survives first contact with a ransomware incident.

When operations are down and revenue is bleeding, the instinct is to hand the experts whatever they need and get out of their way. IR providers get administrative credentials, visibility into financial systems for payment processing, and detailed knowledge of what hurts most. The information asymmetry between the provider and the internal team is enormous, and everyone is too stressed to close that gap.

This creates conditions where malicious activity becomes nearly impossible to detect in real time. An IR provider communicating with external parties? That is the job. Accessing sensitive systems? Also the job. Recommending a specific payment amount? Still the job. The legitimate work provides perfect cover for the illegitimate work.

Most organisations never audit IR provider activities beyond the technical deliverables. Financial discrepancies get absorbed into insurance claims processing. Nobody goes back to check whether the negotiated ransom was reasonable compared to the initial demand.

What the Warning Signs Look Like

In the DigitalMint case, prosecutors noted that the lead negotiator was providing direction and confidential information to maximise ransom payments. From the victim's perspective, that would have looked like a negotiator doing his job.

Still, some patterns should trigger scrutiny. Financial pressure to pay quickly, without transparent breakdowns of the negotiation process. Resistance to letting the victim's legal counsel observe negotiations directly. Scope that keeps expanding. Communication with external parties that is poorly documented or happens through channels the victim cannot audit.

None of these are conclusive on their own. But together, they point to something that deserves a closer look, especially when the stakes involve eight-figure ransom demands.

Structuring the Relationship Differently

The answer is not to avoid external IR providers. Most organisations genuinely need them during major incidents. The answer is treating the IR relationship as an insider risk management challenge from the start.

Separate the technical response from ransom negotiation. The DigitalMint case worked precisely because the same people controlled both. If one firm handles forensics and remediation while a separate firm handles threat actor communications and payment, neither has the full picture needed to exploit the victim. Natural checks and balances.

Retain independent oversight during incidents. A security counsel or internal audit function that monitors IR provider activities without disrupting the technical work. This is not about distrust. It is about maintaining the same governance that organisations apply to any other high-privilege vendor relationship, even under pressure.

Build financial controls that separate payment decisions from IR provider recommendations. The people advising on how much to pay should not be the same people authorising the payment. Independent legal and financial review should gate every ransom decision, no matter how urgent it feels.

And vet IR partners before the crisis hits. Background checks on key personnel, financial stability assessments, references from comparable incidents. The worst time to evaluate your IR provider is at 2 AM when your systems are encrypted.

The Bigger Pattern

DigitalMint has since implemented mandatory cloud-based negotiation platforms with full audit logging and is working with the Department of Homeland Security on a registry for threat actor negotiators. Those are reactive measures, but they point in the right direction.

The broader lesson is that crisis situations create ideal conditions for insider exploitation. Normal controls get suspended. Urgency replaces verification. And the people with the most access are the ones nobody is watching.

This extends beyond IR providers to any vendor relationship that involves privileged access during high-stress situations. Legal counsel during investigations. Forensic accountants during financial crimes. IT contractors during system migrations. The pattern is the same: elevated access, reduced oversight, and an assumption of trust that may not be warranted.