In Coveware’s Q3 2020 report, there’s a section on criminals not keeping their word about deleting data if you’ll just pay them their extortion demands (imagine criminals not keeping their word — oh, the shock):
PAYING A RANSOM MAY NOT STOP RANSOMWARE GROUPS FROM LEAKING THE EXFILTRATED DATA
Coveware feels that we have reached a tipping point with the data exfiltration tactic. Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data. The below list includes ransomware groups whom we have observed publicly DOX victims after payment, or have demanded a second extortion payment from a company that had previously paid to have the data deleted / no leaked:
Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.
Netwalker: Data posted of companies that had paid for it not to be leaked
Mespinoza: Data posted of companies that had paid for it not to be leaked
Conti: Fake files are shown as proof of deletion
Although victims may decide there are valid reasons to pay to prevent the public sharing of stolen data, Coveware’s policy is to advise victims of data exfiltration extortion to expect the following if they opt to pay:
The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt
Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future
The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt
They present a powerful case for not paying that second extortion. But can victims get the decryption key without paying the second part of the ransom? Won’t threat actors just increase the ransom for the decryption key if they learn that their victims will NOT pay them to delete data or promise not to publish it?
In a way, I think it’s a shame that Coveware and other experts haven’t publicly and immediately pointed out when criminals have broken their word. Maybe if they had/did, other victims wouldn’t have paid the ransom when criminals assured them that their word was good because if they lied, no one would ever believe them again.
Read Coveware’s full report on their site.