Kivu’s Saunders on Threat Actor Tactics, Negotiations and Intelligence Gathering
Ransomware negotiations aren’t just about paying criminals, they’re about gathering strategic intelligence. “There’s a misconception around threat actor negotiation that if you’re going to speak to a threat actor, you’re ultimately going to go and pay them,” said Daniel Saunders, director of incident response for EMEA at Kivu, part of Quorum Cyber.
See Also: OnDemand | Navigate the threat of AI-powered cyberattacks
“Threat actor negotiations is a tool that you can use, and it should be a workstream that you’re running in parallel to the forensic investigation, the recovery and the crisis communications,” Saunders said. These communications can reveal how attackers gained access, what data was compromised and help organizations anticipate the next moves. More importantly, engagement helps victims maintain psychological control when facing increasingly aggressive tactics, including threats to life and direct harassment of employees and clients.
The intelligence gathered also proves valuable in unusual scenarios, such as when multiple threat actors operate simultaneously within the same network, he said.
In this video interview with Information Security Media Group at Infosecurity Europe 2025, Saunders also discussed:
- How collaboration with law enforcement helps takedown operations;
- The potential impact of the proposed ransom payment bans in the U.K.;
- Advice for CISOs who treat ransomware as a worst-case scenario.
Saunders has extensive experience in incident response and cybersecurity advisory services, supporting a wide range of organizations globally during active cyber incidents. He also leads proactive initiatives to help organizations strengthen their cyber resilience. His consulting background includes roles at firms such as Kivu, Sygnia and NTT.
