Published September 29th, 2025 // By: DigitalMint Cyber
DigitalMint Cyber Fireside Chat with Jennifer Polliard
DigitalMint Cyber Fireside Chat Episode 5
Inside the Minds of Threat Actors with Jennifer Polliard of Booz Allen Hamilton
In a world where ransomware attacks are growing more frequent and complex, DigitalMint’s latest Cyber Fireside Chat pulled back the curtain on what it’s like to negotiate with threat actors.
Joining our COO and Head of Threat Actor Intelligence, Don Wyper, was Jennifer Polliard, Director of Threat Actor Communications and Intelligence at Booz Allen Hamilton — and someone who’s been on the front lines of cyber extortion for years.
Here are some of the key highlights from the conversation:
From Law Enforcement to Cyber Negotiator
Jennifer’s path to becoming one of the top threat actor negotiators was anything but traditional.
A former U.S. Army veteran and law enforcement officer, Jennifer specialized in crisis negotiation and child victim investigations before transitioning into cyber. She admits she’s “not technical whatsoever,” but emphasizes that ransomware negotiation is more about people skills than coding skills.
”Throughout my time in law enforcement I was also trained through the FBI Academy Crisis Negotiation. So I was also a part of the crisis negotiation team, so that kind of parallels what we do a little bit. The tactics are somewhat the same – stall and distract. The only thing that ends up different is we end up sometimes having to pay the bad guy.” — Jennifer Polliard
Key Trends in the Ransomware Landscape
According to Jennifer, two major trends are shaping the ransomware world in 2025:
1. Data Extortion Over Encryption
Threat actors are focusing more on exfiltrating and ransoming data rather than just encrypting systems. This shift is due to improved corporate backups and incident response practices.
“There’s a couple trends that I’ve been seeing. one of them, and I’ve noticed probably heavily over the last year, is more of the focus on the data exfiltration portion or holding the data at a higher value. and I think that that is likely due to companies becoming more cyber savvy and having backups properly.”
2. Rise of Unknown ‘One-Off’ Groups
After major FBI takedowns of groups like LockBit and BlackCat, there’s been a surge in smaller, lesser-known groups trying to fill the power vacuum — often aggressively.
“Sometimes you could tell that they are new and they have a point to prove if they are super aggressive, because then they don’t have the rules that the other larger groups tend to follow.”
What It’s Like Negotiating With Criminals
Jennifer’s team communicates with cybercriminals daily. Some come from larger groups and mimic structured negotiation practices. Others are chaotic and aggressive.
She explains that:
Many threat actors pride themselves on their “reputation”, which ironically helps maintain a degree of “honor among thieves.”
Red flags for potential re-extortion include overly quick negotiations or steep discounts.
Some attackers display empathy—especially when it comes to attacks involving children’s hospitals.
“They said to me, this is business. you need to get back up and running and we need to get paid. And I said, ‘I understand that, but at the cost of children’s lives?’ And they apologized and immediately gave the decryptor back for free.”
Common Misconceptions From Clients
Many of Jennifer’s clients are seasoned business negotiators, but ransomware negotiations are different:
“I have to explain to them that these guys don’t really care about your reputation. All they care about is getting paid. so they’re not going to think logically.”
Educating clients about the psychology and behavior of cybercriminals is a crucial part of her role.
Day-to-Day Dialogues: AI, Google Translate, and Virtual High Fives
While AI tools like ChatGPT or “WormGPT” have been rumored among threat actors, Jennifer says she hasn’t seen wide adoption. Most criminals still use broken Google Translate, which often causes confusing exchanges.
Still, the negotiation process is nuanced and can become oddly personal.
“We communicate with them daily, it’s almost as if you get to know them. So when we tell a client, what we’re going to say, this is what we expect them to say back to us. It’s always kind of like a virtual high five, we knew exactly what they were going to do.”
One story she shared involved a particularly aggressive actor who kept calling her “sir”:
“I kind of was a little frustrated with the aggressiveness and the tone that they were taking with me. So my response to them was, ‘I appreciate the respect of and the formality of calling me sir, I’m not a sir. I’m a ma’am.’ And they completely changed their tone and started calling me ‘madam’ and we ended up working out a good deal for the client.
Who Are the Big Players Now?
Following the takedown of LockBit and BlackCat, a few groups are leading today’s threat landscape:
Akira (especially leveraging the recent SonicWall vulnerability)
INC Ransom
Qilin
