Many ransomware-wielding attackers are expert at preying on their victims’ compulsion to clean up the mess.
Hence victims often face a menu of options: Pay a ransom for a decryptor, and you’ll be able to unlock forcibly encrypted data. Pay more, and your name gets deleted from the list of victims on a ransomware group’s data-leak site. Pay even more and you get a promise that whatever data they’ve stolen – or already leaked – will be immediately deleted.
Of course, many victims will feel the impulse to do something, anything, for the illusion that they can belatedly protect stolen data and salvage their reputation. That impulse is understandable. But it’s not only too late, but also being used against them by extortionists. Psychologically speaking, criminals don’t hesitate to find the levers that will compel a victim to act – as in, give them money.
Most ransomware groups’ promises are bunk, and most of all anything they guarantee that a victim cannot verify.
Unfortunately, seeing victims pay for data-deletion promises isn’t new. Take BlackBaud, a publicly traded, South Carolina-based firm that provides cloud-based marketing, fundraising and customer relationship management software used by thousands of charities, universities, healthcare organizations and others. After suffering a ransomware attack in May 2020 that included data being stolen, three months later the business reported: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
Criminals to Victims: ‘Trust Us’
Such confirmations aren’t worth the paper they might be printed on (see: Class Action Lawsuit Questions Blackbaud’s Hacker Payoff).
“They’re not going to delete your data. I mean, just flat out, they’re going to pretend to delete your data,” says Allan Liska, a principal intelligence analyst at Recorded Future (see: Most Healthcare Ransomware Hits Include Patient Data Theft). “We’ve seen that time and time and time again, and I think organizations are fully aware of that. So then the question becomes: ‘Will they pay for the illusion that the data has been removed?'”
Unfortunately, the answer too often seems to be “yes.” In July, British authorities urged solicitors to advise their clients to not pay for data-deletion guarantees from criminals. The Information Commissioner’s Office, which enforces U.K. privacy laws – including the General Data Protection Regulation – emphasized the point by saying that if it investigated an organization after a breach and found cybersecurity failings, the fact that it paid for a data-deletion promise would not reduce in any way the fine it might face (see: Don’t Pay Ransoms, UK Government and Privacy Watchdog Urge).
Bill Siegel, the co-founder and CEO of Coveware, which helps organizations respond to ransomware attacks – including sometimes negotiating down ransom demands – continues to urge victims to stop paying for data-deletion promises, not least because it’s bad for them (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
“Frankly, it can exacerbate the problem,” he says. It turns out that a victim that pays for abstract assurances seems to entice attackers to come back and try to extort them for even more.
From a business standpoint, there is nuance in what companies might achieve with a ransom payment.
“With encryption, there’s a real cost in recovery, and if your backups were hit and so on, you may not have any choice but to pay,” Liska says.
But paying for a tool is different than for a promise. “If you pay a ransom for a decryption tool or key, and you get the decryption tool or key, it doesn’t degrade, it doesn’t go away, right?” Coveware’s Siegel says. “Hopefully, you’ll be able to recover your data if you’ve done the right diligence and testing up front.”
Multiple incident response groups and law firms – including ones that work with insurers – track ransomware groups, studying their approach to negotiations and propensity to provide working decryptors. All of this can better inform a victim’s decision about whether or not to pay a ransom and what they’ll get in return.
With ransomware groups, it pays to be informed – and for the good of all, to not perpetuate the ransomware ecosystem by ponying up for inherently empty promises.