“What will it take for victims of ransomware, extortion and other types of cybercrime to stop directly funding their attackers?” That’s the great question posed by BankInfoSecurity after WIRED reported AT&T paid hackers $370,000 to delete the data they had stolen. BankinfoSecurity reports:
How many of the approximately 165 victims of the campaign targeting Snowflake customers chose to pay a ransom? If they did, it’s worth noting that criminal promises aren’t worth the paper they’re printed on. Paying attackers also validates the criminal business model, providing direct funding for future attacks.
Security experts have long urged organizations that fall victim to ransomware or data theft to never pay for abstract guarantees, such as assurances that stolen data has been deleted. Simply put, there’s no evidence ever in the history of cybercrime that every last copy of a set of stolen data has ever been deleted by criminals, despite what they might claim.
So why did AT&T pay, and why did the intermediary negotiator even tell WIRED about the payment? And why would a supposedly experienced researcher ever suggest that he believes all data have been deleted because there was a video of deletion?
There is a lot that is questionable about the situation: a hacker supposedly asks a researcher to be an intermediary to their victim to negotiate, and the researcher agrees, allegedly for the sake of AT&T? And takes a fee from AT&T for their services? Does that make them a ransom negotiator like businesses that do that as their business? Or does that make the researcher a conspirator who assisted the criminals in extorting their victim? In how many cases has this “independent security researcher” acted as negotiator/go-between for criminals? Do the criminals also pay him a percentage of what they get or a fee?
And why did the researcher make the payment public, knowing that paying criminals is universally condemned? Did he take the story to WIRED with AT&T’s permission? Did AT&T really want the payment made public? Or did this researcher make the payment public in the hope that more criminals will ask him to become their negotiator? If so, what does that make him?
Are these thorny legal or ethical issues, or does something just smell fishy?
Read more at BankInfoSecurity.