Municipalities, companies, and even hospitals have to make tough decisions when they are targeted with a ransomware scheme. Do they pay up to get the stolen data deleted, or do they just accept the loss and try to improve their security so it doesn’t happen again?
While hackers will often try to blackmail the victim by threatening to release sensitive stolen data, new research from Coveware suggests that these cybercriminals often won’t live up to their end of the bargain even if the victim agrees to make the ransom payment.
In fact, the research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway. In some cases, the data gets published online before the victim is given a chance to cut a deal on the agreed-to data deletion.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” the report says. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting.”
Find out what data’s been compromised before paying up
Coveware said it tries to steer clients away from paying a data deletion ransom before they’ve performed an investigation into what data was stolen, sought counsel from a privacy attorney, and alerted any potentially affected customers.
“The bottom line is, ransomware is a business of hope,” Fabian Wosar, chief technology officer at computer security firm Emsisoft, told KrebsOnSecurity.
“The company doesn’t want the data to be dumped or sold. So they pay for it hoping the threat actor deletes the data. Technically speaking, whether they delete the data or not doesn’t matter from a legal point of view. The data was lost at the point when it was exfiltrated.”