When Ransomware Groups Target Executives: Lessons from Our Latest IR Scenario

Ransomware hits different when executives are personally targeted. One Discernible Experience scenario pushed participants to practice three overlooked skills: advocating for specificity over legal vagueness, sharing threat intel with competitors, and supporting leaders under pressure.

When Ransomware Groups Target Executives: Lessons from Our Latest IR Scenario
Photo by @gpthree on Unsplash

This post is inspired by the debrief discussions following our most recent security communications scenario, "Operation Harassment: When Ransomware Groups Target Your Executives," which was based on the recent Salesloft/Drift ransomware incident. Our weekly experiences give security teams hands-on practice with realistic scenarios, and the conversations afterward often reveal insights that extend far beyond the simulation.

The Salesloft ransomware incident revealed something many security teams aren’t prepared for – modern extortion campaigns that don’t stop at encrypting systems or threatening to publish data. Sometimes they target executives personally, harassing families, posting home addresses, filing fake professional complaints, and flooding personal phones with threatening calls. In the case of the recent Salesloft incident, personal contact information was doxxed by the criminals on Telegram with a financial incentive for everyday people to pick up a pitchfork. 

Our Discernible Experience last week asked participants to practice three critical communication skills that most incident response training overlooks entirely: 

  • Advising executives to provide specific rather than vague breach notifications
  • Facilitating threat intelligence sharing with industry competitors
  • Supporting leaders who are being personally targeted

The discussions that followed the exercise surfaced four insights that every business leader should understand.

Vague Disclosures Won’t Protect You

The most heated debates in the incident debrief centered on a common scenario – legal counsel recommends intentionally vague incident disclosure language to "minimize liability exposure," leaving affected customers to fill in the blanks with incomplete information.

Participants wrestled with advising executives to override legal guidance and provide detailed information about what data was accessed, when, and what customers should do about it. The discomfort was palpable since many security professionals have never been asked to push back on legal recommendations, even when those recommendations clearly harm customer trust and brand value.

The counterintuitive reality is that specific disclosure often reduces legal risk rather than increasing it. Courts and regulators look more favorably on companies that demonstrate good faith and competency by providing clear, actionable information. Vague notifications create the perception that you either don't understand the incident's scope or you're hiding something, and neither of those protects you in litigation or regulatory proceedings. Discovery is a b*tch. 

Also, during our debrief, a few participants focused on one key argument: "Customers who can't determine what data was affected will assume the worst and make decisions based on fear rather than facts. Vague language accelerates the very outcome we're trying to prevent – customer defection and loss of trust."

The communication skill being practiced here isn't just "write better notifications or disclosures." It's learning how to advocate for customer-serving transparency when organizational incentives (legal risks, executive egos) push toward opacity. The best security attorneys I’ve ever worked with understand that specificity is actually a risk management strategy, not a liability.

Industry Coordination Strengthens Incident Intelligence

When attacks target an entire industry sector systematically (as we saw with sales engagement platforms), companies can respond independently with limited visibility of the threat actor's full campaign, or coordinate with peers (and often competitors) to share threat intelligence and understand the complete attack pattern.

Most executives' first instinct is to avoid coordination. "Why would we help our competitors?" was a common response heard by our experience participants. The competitive concern is understandable, but this logic misses the business advantage of information sharing. When you're dealing with a threat actor conducting a systematic campaign across multiple companies, your individual incident data represents only a fraction of what’s going on. You see what happened to you, but not what the attacker tried at other companies, which techniques worked or failed elsewhere, or what the attacker's broader objectives might be. 

Participants practiced articulating reasons for executives to participate in industry coordination, including:

  • Better threat intelligence: Other companies have IOCs (indicators of compromise) and TTPs (tactics, techniques, procedures) that can help you validate whether your investigation is complete. If three other platforms were compromised through a specific third-party integration, that's intelligence you can use immediately.
  • Faster response: Your peers may have already spent days or weeks investigating the same threat actor. Sharing their findings can significantly compress your response timeline and help you avoid investigative dead ends that they’ve already explored.
  • Enhanced defense: Understanding the attacker's full campaign helps you identify which of your defenses worked, which failed, and what the attacker is likely to try next. This is vastly more valuable than working from your isolated vantage point, looking at a single incident.
  • Customer protection: When the same attacker is targeting multiple platforms your customers use, coordinated intelligence sharing helps you provide better guidance about what customers should actually do to protect themselves across their entire tech stack.

The legal and competitive concerns about information sharing are addressable through proper structure. Industry ISACs (Information Sharing and Analysis Centers) provide legal protections for shared threat intelligence. The key is separating threat intelligence coordination (sharing IOCs, TTPs, and technical mitigations) from business coordination (which would raise antitrust concerns) – and this is where legal counsel can provide unique value. Security teams sharing "this threat actor used these specific techniques and here's what worked to detect/stop them" is fundamentally different from business teams discussing pricing or customer terms. Still, they need legal guidance on how to do it correctly.

Several participants noted that the biggest barrier they’ve experienced isn’t legal risk, but cultural constraints. Many security teams operate in organizations where coordination with competitors feels unnatural or even wrong. The communication skill being practiced here is helping executives understand that refusing to coordinate means operating with incomplete threat intelligence. You're making defense decisions based on partial information about an adversary who has a complete map of the entire campaign.

When participants reframed the question from "Are we helping competitors?" to "Are we getting the complete picture we need to make the best decision for the business," the executive decision often shifted.

Executive Harassment Requires Acknowledging Human Limits

The most difficult discussions in our scenario centered on the third phase of our incident – a coordinated harassment campaign against executives and their families. Participants role-played scenarios where CEOs were receiving threatening calls, their home addresses were posted online, fake allegations were being filed with professional licensing boards, and family members were being targeted on social media.

The criminal's message was explicit: "Pay up or the harassment intensifies. Your family will suffer."

Traditional incident response training rarely addresses this scenario, and many participants admitted they had no framework for thinking about it. Our simulation asked participants to develop communication strategies for supporting executives facing this level of harassment, including guidance on when and how to respond publicly, what to communicate internally, and how to balance executive safety with business continuity.

Multiple participants expressed understanding of why some executives choose to pay, "not because it's right, but because it's human." This acknowledgment matters. The most effective incident response strategies recognize that executives under sustained personal harassment cannot be expected to make optimal decisions without significant support structures.

During our scenario, participants practiced helping executives think through their options while under extreme personal pressure. This required:

  • Immediate and substantial support infrastructure. Participants developed plans that included executive protection consultations, social media security assistance, legal documentation, mental health resources, administrative support for screening communications, and family safety resources. The goal was to ensure executives had the support needed to make clear decisions rather than decisions driven by exhaustion and fear.
  • Frameworks for public response. Participants created guidance for when executives should respond publicly to harassment versus when silence is strategic.
  • Internal communication strategies. Participants also developed talking points for what executives should tell their teams, board members, and close business partners about the harassment campaign without creating panic or appearing to buckle under pressure.

Several participants noted that this kind of communication planning underscores the importance of preparing before incidents occur. Organizations need to have discussed these scenarios with boards and executive teams before someone is targeted, because trying to establish these frameworks during an active harassment campaign is exponentially harder.

The experience didn’t ask participants to advocate for a particular decision about paying the ransom. Instead, we focused on how to help executives maintain decision-making capacity and organizational stability when they're experiencing a severe personal attack, something that requires both practical support and thoughtful communication strategies.

Helpful Transparency Protects You

The overarching theme across each phase of our scenario was the tension between helpful transparency (which serves customers and strengthens security) and caution (which legal and PR teams often recommend). 

The irony is that the self-protective instinct to be vague, handle it alone, and minimize public discussion often creates the very outcomes organizations are trying to avoid. The "Streisand Effect." 

The communication skill underlying every task in this experience was learning to help executives understand that transparency is a risk management strategy, not just a values statement. This requires being able to articulate specific mechanisms through which transparency reduces risk, such as:

  • Specific, helpful disclosure demonstrates good faith and due diligence in legal and regulatory contexts
  • Industry coordination provides more complete threat intelligence needed for effective defense and business decisions
  • Honest acknowledgment of challenges builds stakeholder confidence in your organization’s capabilities and judgment

Practice & Preparation Mean More Opportunities

What makes these communication challenges so difficult is that they often require persuading executives to act against their immediate instincts during high-stress situations. "Be more transparent when lawyers advise caution," "coordinate with competitors during an emergency," and "support executives facing personal harassment while maintaining operations," are typically not intuitive responses.

This is why we design experiences that practice these specific communication challenges. The participants who performed best in our scenario were those who could clearly articulate the customer perspective, provide specific evidence for their recommendations, acknowledge the legitimate concerns of legal and business stakeholders, and maintain their position under pressure.

These are learnable skills. But they require practice.