Mastodawn

Most of us have probably read that one reason not to pay threat actors is that they cannot be trusted to keep their word to delete data they have exfiltrated. But how often does that actually occur?

I have sent inquiries to a number of incident response/negotiation firms and the DOJ. If I did not send one to your firm and your firm handles a lot of negotiations and payments, please accept my apologies for not having contacted you, and answer the following question (either publicly or via a private message to me):

In what percentage of cases where payment was made to delete data, did threat actors break their word and not delete it?

Please feel free to share this post with others here and elsewhere to boost my chances of getting additional responses/estimates. Thank you all.

#incidentresponse #ransom #extortion #ransomware #databreach

Show thread

Maxime Thiebaut 6d ago

@PogoWasRight there is LockBit as alleged example https://therecord.media/lockbit-lied-about-deleting-exfiltrated-data-after-ransom-payments

LockBit held victims’ data even after receiving ransom payments to delete it

The infamous ransomware gang lied about destroying exfiltrated data after victims had given in to extortion demands.

Show thread

Dissent Doe

@0xThiebaut Yes, I think that was the first time I had read any specific demonstration or claims of proof. But what percent of cases does this happen, or is it actually pretty rare or confined to a few gangs or affiliates?

There are those who urge journalists to push the narrative that this is a real possibility, but when asked how often they have seen this actually happen, they don't answer.