After a breach affecting thousands of institutions, Canvas's decision to reach an agreement with attackers highlights how ransom negotiations risk turning cybercrime into a predictable business model.
Paying out hacker ransom isn’t a particularly rare event. The hackers that do it professionally are… professional. If they don’t follow through on their side of the agreement then no one pays them.
This isn’t some “dangerous precedent” it’s a basic business decision that paying up would be cheaper than the alternative options. Normal cyber crime response and remediation shit.
They’re criminals. They fucked shit up for money and then held the company hostage. If they don’t pay, the ransom group WILL release the data. If they do pay, they might release the data, but they’ll just quietly sell it rather than just dumping it.
They’re a business. It took time and effort to break in. They want to be paid. If you stiff them, they’re going to fuck you in the ear. If they sell your data after the fact, what are you going to do? Complain to the manager?
They’re not professional, they’re extortionists that don’t give two shits if they’re respected. They steal what’s previous and threaten to dump it or sell it back. Their reputation is already shit, why would they care otherwise? This is such a naive take.
I think this is the more naive take. If it was a given that the information would be public either way, noone would ever pay. Ransomware groups rely on a reputation of withholding their end of the arrangement or the corporate bean counters could never justify the payout to them.
It’s interesting though. For lots of other crimes, people don’t pay ransoms. For example the recent kidnapping of that tv personality’s mother in Arizona. And in those cases, such an arrangement or transaction, when completed fulfills both sides and it’s done. In this case, there is no guarantee that data doesn’t end up sold on the dark web regardless of whether the payment is made. And plenty of other let’s say not as “professional” hacker groups (I put in quotes for lack of a better word, and that’s a term we are using in this thread) sometimes can’t decrypt your shit because they are running shredware rather than ransomware. Or they just fucked up and don’t know what they are doing. So it’s a big chance you are taking.
And yes, some of the “professional” groups have essentially a “customer support” team, which you contact and they help walk you through the process of paying the ransom and whatever else, applying the decryption etc.
When someone gets kidnapped there’s no CEO that can go to jail for a privacy breach. Data breaches typically stay out of the news, if it becomes public the victim company can face mask action. It can literally be cheaper the quietly pay the hackers.
Paying out hacker ransom isn’t a particularly rare event. The hackers that do it professionally are… professional. If they don’t follow through on their side of the agreement then no one pays them.
This isn’t some “dangerous precedent” it’s a basic business decision that paying up would be cheaper than the alternative options. Normal cyber crime response and remediation shit.
Ha ha, what?
They’re criminals. They fucked shit up for money and then held the company hostage. If they don’t pay, the ransom group WILL release the data. If they do pay, they might release the data, but they’ll just quietly sell it rather than just dumping it.
They’re a business. It took time and effort to break in. They want to be paid. If you stiff them, they’re going to fuck you in the ear. If they sell your data after the fact, what are you going to do? Complain to the manager?
They’re not professional, they’re extortionists that don’t give two shits if they’re respected. They steal what’s previous and threaten to dump it or sell it back. Their reputation is already shit, why would they care otherwise? This is such a naive take.
I think this is the more naive take. If it was a given that the information would be public either way, noone would ever pay. Ransomware groups rely on a reputation of withholding their end of the arrangement or the corporate bean counters could never justify the payout to them.
It’s interesting though. For lots of other crimes, people don’t pay ransoms. For example the recent kidnapping of that tv personality’s mother in Arizona. And in those cases, such an arrangement or transaction, when completed fulfills both sides and it’s done. In this case, there is no guarantee that data doesn’t end up sold on the dark web regardless of whether the payment is made. And plenty of other let’s say not as “professional” hacker groups (I put in quotes for lack of a better word, and that’s a term we are using in this thread) sometimes can’t decrypt your shit because they are running shredware rather than ransomware. Or they just fucked up and don’t know what they are doing. So it’s a big chance you are taking.
And yes, some of the “professional” groups have essentially a “customer support” team, which you contact and they help walk you through the process of paying the ransom and whatever else, applying the decryption etc.
When someone gets kidnapped there’s no CEO that can go to jail for a privacy breach. Data breaches typically stay out of the news, if it becomes public the victim company can face mask action. It can literally be cheaper the quietly pay the hackers.