This bears some resemblance to the kidnapping business, and its high-seas version, piracy.
Here's part of an email I recently received informing me of such a breach, and subsequent payment of ransom.
"I’m writing to inform you that Blackbaud, the company that hosts [xxx’s] relationship management system, suffered a security incident in May. Blackbaud is the world’s largest provider of fundraising technology for non-profits and educational institutions, and many organizations have been impacted by this incident.
...
"We were also informed by Blackbaud that in order to protect data and mitigate potential identity theft, it met the cybercriminal’s ransomware demand. Blackbaud has advised us that it received assurances from the cybercriminal and third-party experts that the data was destroyed. Blackbaud has been monitoring the web in an effort to verify the data accessed by the cybercriminal has not been misused. "
************
Why should "assurances from the cybercriminal" be reassuring? (and for how long?). And what are the roles played by "third-party experts"?
My guess is that, as in the kidnapping biz, intermediaries have emerged to conduct the negotiations, get some sort of assurances, and make it possible for criminal organizations to maintain reputations for honor among thieves.
It is of course possible to regard ransom paying as a repugnant transaction that facilitates ransomware, kidnapping, etc. In fact the U.S. for some time made it a crime to pay ransom to kidnappers, but relaxed that view over time, as kidnapping became a bigger international business, and there was often a considerable desire (sometimes covered by insurance) to pay ransom when it seemed the best way to recover the kidnapped person alive.
Here are some related posts which touch on that story: