Why Do Ransomware Victims Pay for Data Deletion Guarantees?
Mathew J. Schwartz reports:
Many ransomware-wielding attackers are expert at preying on their victims’ compulsion to clean up the mess.
Hence victims often face a menu of options: Pay a ransom for a decryptor, and you’ll be able to unlock forcibly encrypted data. Pay more, and your name gets deleted from the list of victims on a ransomware group’s data-leak site. Pay even more and you get a promise that whatever data they’ve stolen – or already leaked – will be immediately deleted.
Of course, many victims will feel the impulse to do something, anything, for the illusion that they can belatedly protect stolen data and salvage their reputation. That impulse is understandable. But it’s not only too late, but also being used against them by extortionists. Psychologically speaking, criminals don’t hesitate to find the levers that will compel a victim to act – as in, give them money.
Most ransomware groups’ promises are bunk, and most of all anything they guarantee that a victim cannot verify.
Read more at BankInfoSecurity.
Mathew’s article addresses an important issue: that not only may paying to delete data be throwing good money after bad, but it may also increase your likelihood of being attacked again as you’ve made it clear that you are a victim who is willing to pay.
The weakness with the whole article is the lack of any actual proof or evidence. I’ve heard this argument many times and while it sounds reasonable, has any victim ever come forward and said that this is what happened to them? I realize that victims may not want to expose any foolish mistakes or problems, but where is there any data or proof that paying to delete data statistically increases the risk of being attacked again? Who has the data, if it exists, and why can’t they pseudoanonymize it to provide it so we can all learn?