In the aftermath of a ransomware attack, organizations have traditionally been encouraged by cybersecurity professionals and law enforcement agencies to disclose as much information as possible. Publicly sharing details—including the identity of the suspected hacking group—has long been seen as a way to help authorities track down cybercriminals and limit the spread of malicious campaigns. However, recent discussions at the RSAC 2026 Conference suggest a shift in this thinking.
Experts are now warning that prematurely naming a ransomware group may do more harm than good. According to Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology, publicly attributing an attack can complicate response efforts rather than support them. One of the key concerns is that attribution may interfere with potential retaliation strategies or ongoing investigations, especially when multiple actors or unclear evidence are involved.
Another significant issue relates to cyber insurance. Many organizations rely on insurance policies to recover financial losses after an attack. However, Brett Callow, senior advisor at FTI Consulting, points out that publicly blaming a specific hacking group could negatively affect cyber insurance claims. Insurers may dispute coverage if attribution introduces ambiguity or suggests involvement of entities—such as nation-state actors—that fall outside policy terms.
The risks become even more pronounced when suspected attackers are linked to nation-states. In such cases, attribution can escalate the situation politically or legally, potentially complicating recovery efforts. Mike Egan, partner at Colley LLP, explains that victims’ reactions often change dramatically once a well-known group is named. While initial awareness of a cyberattack might be met with a measured response, learning that groups like Lazarus, LockBit, or Qilin are involved can trigger panic. This is largely due to uncertainty about how stolen data might be used, increasing fears of widespread personal data breaches and reputational damage.
Despite these concerns, experts emphasize that there is no one-size-fits-all approach to handling ransomware incidents. Each case requires a tailored response based on the nature of the attack, the available evidence, and the potential consequences of disclosure. While naming attackers can support long-term accountability and law enforcement efforts, it must be done carefully and strategically.
Ultimately, transparency with authorities remains critical. Failing to report incidents could allow cybercriminals to continue targeting other organizations, amplifying the overall impact. The challenge lies in balancing responsible disclosure with the practical risks of attribution—ensuring that actions taken in the wake of an attack do not inadvertently make the situation worse.
Join our LinkedIn group Information Security Community!
