Recent cyber-attacks against Australian targets have seen partial or redacted copies of stolen data published online. While this can be a response by the attacker to the target’s refusal to pay a ransom or otherwise meet demands, there can be a variety of motives for publishing. Attackers can publish to show that they actually have the data they claim (and are not, for example, merely someone who has read about the attack on a dark web forum and is masquerading as the attacker).
They may be publishing in the hope that customers or supply chain partners whose data is included will put additional pressure on the victim to pay the attacker.
There may be several parties who have access to the data (or some of it). There’s no guarantee they can destroy all existing copies, or, even if they could, that they will. For example, when law enforcement officers recently seized the LockBit ransomware site, they discovered that data the attackers had received payment for promising to delete was nonetheless still being stored. Not only would this allow the attacker to attempt further extortion or to use the data for nefarious purposes, it also left the data at risk of being taken by third parties.
The rise of “Ransomware as a Service” (RaaS) has resulted in a new phenomenon sometimes called a “rug pull” (a term derived from cryptocurrency scams). In RaaS the developer of the ransomware sells a service to other criminals who then choose a target and carry out the attack, paying the service provider a commission. With a “rug pull”, the RaaS service provider gets access to the payment and fails to pass any of it on to the attacker (or vice versa). The aggrieved party then returns to the target asking for payment to be made again, this time directly to them.
In a “double extortion”, the attacker, having obtained a payment for decrypting data, then asks for another payment for destroying copies they hold. Sometimes the second demand comes (or purports to come) from a connected third party.
The key takeaway is that there is no way to guarantee that stolen data will not be leaked, sold, or retained for later use, that encrypted data will be decrypted, or that any payment will bring an end to the ongoing risk or demands for further payments.
Do what you can to prevent the breach in the first place, but also be prepared and informed in advance, in case you have to make some tough decisions following an attack.