- timely response
- initial disclosure by company and not third party
- actual expression of shame and remorse
- a decent explanation of target/scope
i could imagine being cyclical about the statement, but look at other companies who have gotten breached in the past. very few of them do well on all points
From customer perspective “in an effort to reduce the likelihood of this data becoming widely available, we’ve paid the ransom” is probably better, even if some people will not like it.
Also to really be transparent it’d be good to post a detailed postmortem along with audit results detailing other problems they (most likely) discovered.
It’s not great, but it’s the least shitty option.
This is like falling victim to a scam and paying more on top of it because the scammers promised to return the money if you pay a bit more.
I see no likelihood game to be played there because you can't trust criminals by default. Thinking otherwise is just naive and wishful. Your data is out in the wild, nothing you can do about that. As soon as you accept that the better are your chances to do damage reduction.
Picking up hundreds of thousands at best (very few databases would be worth so much) when your main business pays millions or tens of millions per victim simply isn’t worth it, selling the data would jeopardise their main business which is orders of magnitude more profitable.
Absolutely no IR company will advise their clients to pay if the particular ransomware group is known to renege on their promises.
Still, it's illegal or quite bureaucratic in some places to pay up.
And idk... It still feels like these ransom groups could well sit on the data a while, collect data from other attacks, shuffle, shard and share these databases, and then sell the data in a way that is hard to trace back to the particular incident and to a particular group, so they get away with getting the ransom money and then selling the db latter.
It's also not granted that even with the decrypt tools you'd be able to easily recover data at scale given how janky these tools are.
I don't know. I am less sure now than I was before about this, but I feel like it's the correct move not to pay up and fund the group that struck you, only so it can strike others, and also risk legal litigations.
I can’t think of anywhere it would be illegal, but the bureaucracy is usually handled by the incident response company who are experts at managing these processes.
> It's also not granted that even with the decrypt tools you'd be able to easily recover data at scale given how janky these tools are
Most IR companies have their own decryption tools for this exact purpose, they’ve reversed the ransomware groups decryptors and plugged the relevant algos into their own much less janky tools.
> And idk... It still feels like these ransom groups could well sit on the data a while, collect data from other attacks, shuffle, shard and share these databases, and then sell the data in a way that is hard to trace back to the particular incident and to a particular group, so they get away with getting the ransom money and then selling the db latter
Very few databases will be worth even $100k, ransoms tend to run in the millions and sometimes tens of millions. There have been individual payments of over $30M. Selling the data just isn’t worth it, even if you could get away with it without sabotaging your main business. It’d like getting a second job as a gas station attendant while working for big tech in SF, possible but ridiculous.
> I don't know. I am less sure now than I was before about this, but I feel like it's the correct move not to pay up and fund the group that struck you, only so it can strike others, and also risk legal litigations.
The UK government even has a website where they basically say “yeah we understand you might need to make a payment to a sanctioned ransomware group, it’s totally fine if you tell us”. The governments accept that these payments are necessary, to the point that they’ll promise non-enforcement of sanctions. I can’t think of anywhere you’d really be risking legal repercussions if you have some reasonable IR company guiding you through the process.
I totally get the concern about funding these groups, but unfortunately the payments are so common at this point (the governments even publish guidelines! That common) that it simply doesn’t make a difference if a few companies refuse to pay.