Monday, August 10, 2020

Reputation among thieves: ransomware and kidnapping

Like everyone else, I occasionally get notifications of data breaches from organizations with which I have digital relations.  Often the breach involved a third party.  Sometimes the breach involves the theft of data accompanied by a demand of ransom--i.e. the victim is invited to pay the cybercriminal, who then promises to destroy the data instead of selling it on the dark web or otherwise using it.

This bears some resemblance to the kidnapping business, and its high-seas version, piracy.

Here's part of an email I recently received informing me of such a breach, and subsequent payment of ransom.

"I’m writing to inform you that Blackbaud, the company that hosts [xxx’s] relationship management system, suffered a security incident in May. Blackbaud is the world’s largest provider of fundraising technology for non-profits and educational institutions, and many organizations have been impacted by this incident.
...
"We were also informed by Blackbaud that in order to protect data and mitigate potential identity theft, it met the cybercriminal’s ransomware demand. Blackbaud has advised us that it received assurances from the cybercriminal and third-party experts that the data was destroyed. Blackbaud has been monitoring the web in an effort to verify the data accessed by the cybercriminal has not been misused. "
************
Why should "assurances from the cybercriminal" be reassuring? (and for how long?).  And what are the roles played by "third-party experts"?

My guess is that, as in the kidnapping biz, intermediaries have emerged to conduct the negotiations, get some sort of assurances, and make it possible for criminal organizations to maintain reputations for honor among thieves.

It is of course possible to regard ransom paying as a repugnant transaction that facilitates ransomware, kidnapping, etc.  In fact the U.S. for some time made it a crime to pay ransom to kidnappers, but relaxed that view over time, as kidnapping became a bigger international business, and there was often a considerable desire (sometimes covered by insurance) to pay ransom when it seemed the best way to recover the kidnapped person alive.

Here are some related posts which touch on that story:

Monday, June 24, 2019  Kidnapping insurance

Tuesday, September 13, 2016 Ransom as a (not so) repugnant transaction

Monday, August 9, 2010 Brokers for pirate ransom

Saturday, December 5, 2009 Market for kidnapping

Sunday, November 30, 2008 Pirate ransom: counterparty risk

No comments: