Ransomware attacks pose a growing threat to both digital and physical infrastructures. When a ransomware incident occurs, victim organizations often face pressure to restore operations quickly—even if that means paying the ransom. However, payment introduces serious legal and financial risks: if the attacker is a sanctioned entity, making a payment could result in violation of international sanctions law. This makes accurate attribution of the threat actors essential. But how do cybersecurity professionals determine who is behind an attack? And how reliable are the methods they use?
This talk explores the complex and uncertain process of ransomware attribution, based on a mixed-methods study combining expert interviews with real-world incident report analysis. Our findings challenge common assumptions in the threat intelligence community—particularly the belief that high-level Indicators of Compromise (IoCs), like attacker TTPs (tactics, techniques, and procedures), are by default more reliable than low-level IoCs. In practice, high-level indicators often seem to be too generic to support confident attribution, especially in the fast-changing landscape of Ransomware-as-a-Service (RaaS). Instead, professionals rely more heavily on volatile low-level indicators like ransom notes and infrastructure clues, which are easier to trace but also easier for attackers to change.
This attribution “minefield” is further complicated by group rebranding, affiliate models, legal uncertainty, and fragmented data sources. Together, these challenges highlight the risks of misattribution and the potential for victims to unknowingly violate sanctions. This calls for a reevaluation of sanction enforcement policy so that we can start punishing ransomware actors and protect victims, instead of the other way around.
