Colin Cowie

From Leaks to Leads: Investigating Ransomware Chat Leaks at Scale

Ransomware chat leaks offer a rare view into the inner workings of criminal groups, but only after untangling the data. This talk showcases a Python-based workflow for structuring, visualizing, and investigating these leaks at scale, including timelining, network analysis, and AI-assisted translation. To support collaborative analysis, I built interactive web portals that recreate the chat environments, with capabilities for searching, filtering, and sharing key messages. The leaked data includes insights into extortion negotiations, state influence, and the daily lives of ransomware crews. Intrusion techniques are cross-referenced with incident response data and paired with firsthand perspectives from the adversaries themselves.

Colin is a Senior Threat Intelligence Analyst on the Sophos Managed Detection and Response team, where he focuses on intrusion analysis, campaign tracking, and working closely with detection engineers to counter emerging threats. He has a background in digital forensics and previously worked as a penetration tester in the financial sector. Outside of work, Colin enjoys building Python tools to support research automation and biking around Seattle.