DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Don ‘t pay ransom on the promise your data will be deleted, because it won’t be — Coveware

Posted on November 4, 2020 by Dissent

In Coveware’s Q3 2020 report, there’s a section on criminals not keeping their word about deleting data if you’ll just pay them their extortion demands (imagine criminals not keeping their word — oh, the shock):

PAYING A RANSOM MAY NOT STOP RANSOMWARE GROUPS FROM LEAKING THE EXFILTRATED DATA

Coveware feels that we have reached a tipping point with the data exfiltration tactic. Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data. The below list includes ransomware groups whom we have observed publicly DOX victims after payment, or have demanded a second extortion payment from a company that had previously paid to have the data deleted / no leaked:

  • Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.

  • Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.

  • Netwalker: Data posted of companies that had paid for it not to be leaked

  • Mespinoza: Data posted of companies that had paid for it not to be leaked

  • Conti: Fake files are shown as proof of deletion

Although victims may decide there are valid reasons to pay to prevent the public sharing of stolen data, Coveware’s policy is to advise victims of data exfiltration extortion to expect the following if they opt to pay:

  • The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt

  • Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future

  • The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt

They present a powerful case for not paying that second extortion.  But can victims get the decryption key without paying the second part of the ransom? Won’t threat actors just increase the ransom for the decryption key if they learn that their victims will NOT pay them to delete data or promise not to publish it?

In a way, I think it’s a shame that Coveware and other experts haven’t publicly and immediately pointed out when criminals have broken their word.  Maybe if they had/did, other victims wouldn’t have paid the ransom when criminals assured them that their word was good because if they lied, no one would ever believe them again.

Read Coveware’s full report on their site.

Category: Commentaries and AnalysesMalwareOf Note

Post navigation

← Ca: Kingston Health Sciences Centre investigating possible cyber-security incident
Cork hospital fined €65k after patients’ personal data found in public recycling facility →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.