Paying for promises that cannot be reviewed draws the target of repeated attacks on the victims
Many ransomware attackers are experts at exploiting to force their victims to get rid of the mess.
Hence, victims are often faced with a list of options: pay the ransom for decryption, and you will be able to force-unlock the encrypted data. Pay more, and your name will be removed from the list of victims on the ransomware group data leak site. Pay more and you’ll be promised that any data they’ve stolen – or has already been leaked – will be deleted immediately.
Of course, many victims will feel impulsive to do something, anything, just thinking that they can in hindsight protect the stolen data and salvage their reputation. This motive is understandable. But not only was it too late, the extortionists also used it against them. Psychologically, criminals do not hesitate to find levers that will force the victim to act – as in giving them money.
Most of the promises of ransomware kits are untrue, and most of all, they guarantee that the victim will not be able to verify it.
Unfortunately, seeing victims pay for promises of data deletion is nothing new. Take BlackBaud, a public company based in South Carolina that provides cloud-based marketing, fundraising, and CRM software used by thousands of charities, universities, healthcare organizations, and more. After suffering a ransomware attack in May 2020 that included data theft, three months later the company reported: “Because protecting our customers’ data is our top priority, we have prompted the cybercriminals’ request with assurance that the copy they removed has been destroyed.”
Criminals to victims: trust us
These confirmations are not worth the paper they may be printed on (see: Class action lawsuit questions Blackbaud’s hacker reward).
“They’re not going to delete your data. I mean, quite simply, they’re going to pretend to delete your data,” says Alan Lesca, principal intelligence analyst at Recorded Future. Most of healthcare ransomware’s business involves stealing patient data). “We’ve seen that over and over again, and I think organizations are very aware of that. So the question becomes: Are they going to pay for the illusion of data removal?”
Unfortunately, the answer often seems to be “yes.” In July, British authorities urged lawyers to advise their clients not to pay for guarantees of data deletion from criminals. The Information Commissioner’s Office, which enforces UK privacy laws – incl General Data Protection Regulation – I emphasized this point by saying that if you investigate an organization after a breach and find failures in cybersecurity, the fact that they paid for a promise to delete data will in no way reduce the fine you might face (see: Do not pay a ransom, the British government urged privacy).
Bill Siegel, co-founder and CEO of Coveware, which helps organizations respond to ransomware attacks — including sometimes negotiating ransom demands — continues to urge victims to stop paying for promises of data deletion, not least because it’s bad for them ( Look: Realistic ransom policy: Paying to delete data is for the suckers).
“Honestly, it can exacerbate the problem,” he says. It turns out that the victim paying for abstract assurances appears to lure the attackers back in and try to blackmail them for more.
From a business standpoint, there is little nuance to what companies can achieve by paying the ransom.
“With encryption, there is a real cost in recovery, and if your backups etc. are compromised, you may not have any choice but to pay,” Leska says.
But paying for a tool is different from a promise. “If you pay a ransom for a decryption tool or key, and get a decryption tool or key, it won’t decompose, it won’t disappear, right?” says Siegel of Coveware. “We hope you will be able to recover your data if you have taken the right care and testing in advance.”
Various incident response groups and law firms – including those that work with insurance companies – track ransomware groups, studying their approach to negotiations and tendency to provide working decryptors. All of this can better inform the victim’s decision on whether or not to pay a ransom and what they will get in return.
With ransomware clusters, it pays to be aware of – and for the benefit of all, not to perpetuate the ransomware ecosystem by pursuing inherently empty promises.