iam-py-test16h ago
Dissent Doe  

Most of us have probably read that one reason not to pay threat actors is that they cannot be trusted to keep their word to delete data they have exfiltrated. But how often does that actually occur?

I have sent inquiries to a number of incident response/negotiation firms and the DOJ. If I did not send one to your firm and your firm handles a lot of negotiations and payments, please accept my apologies for not having contacted you, and answer the following question (either publicly or via a private message to me):

In what percentage of cases where payment was made to delete data, did threat actors break their word and not delete it?

Please feel free to share this post with others here and elsewhere to boost my chances of getting additional responses/estimates. Thank you all.

#incidentresponse #ransom #extortion #ransomware #databreach

Mar 19 at 2:40amWeb
Show threadMaxime Thiebaut6d ago
@PogoWasRight there is LockBit as alleged example https://therecord.media/lockbit-lied-about-deleting-exfiltrated-data-after-ransom-payments
LockBit held victims’ data even after receiving ransom payments to delete it

The infamous ransomware gang lied about destroying exfiltrated data after victims had given in to extortion demands.

Show threadDissent Doe  6d ago

@0xThiebaut Yes, I think that was the first time I had read any specific demonstration or claims of proof. But what percent of cases does this happen, or is it actually pretty rare or confined to a few gangs or affiliates?

There are those who urge journalists to push the narrative that this is a real possibility, but when asked how often they have seen this actually happen, they don't answer.

Show threadOutsideCasey8h ago

@PogoWasRight deletion is impossible to verify. So the percentage you ask for would never be accurate. Anything an extortion group shows you is not trustworthy. Trusting them at *all* is a mistake. *ANY org* paying out for ransomeware extortion raises the threat for *EVERY* potential victim. Doing so gives the threat actor incentive to continue their behavior. Paying won’t protect you from next time.

Defense in depth and tested offline backups or immutable storage snapshots.

Show threadDissent Doe  6h ago
@OutsideCasey The percent I asked for would certainly be an underestimate, for the reasons you so accurately described. But it would be nice to have even a low-ball baseline to get a sense of how often this occurs.
Show threadOutsideCasey6h ago
@PogoWasRight it is certainly my opinion, but it’s ALWAYS. They are ALWAYS keeping the data. 100% There are no trustworthy extortionists.
Show threadOutsideCasey3h ago
@PogoWasRight my experience is limited to my org, we didn’t pay. We went through DR, rebuilt some environments. Another team identified the source of the breach (malicious email link), and we’ve done our best to improve policy and culture. That was the nail that finally got multi-factor auth approved by mgmt. Years ago now. It was a bad couple weeks with lots of OT.