How can a company ensure cybercriminals destroy hacked data after payment?

Information Security Asked on November 8, 2021

Cloud computing provider Blackbaud reported on "…the cybercriminal removed a copy of a subset of data from our self-hosted environment. … we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed."

How can the company be certain that the data is destroyed, and what reparation can it get if it is found later that the data is passed on after payment?

I couldn’t find any technical solution on Google. I guess the only assurance is the criminals’ "reputation": if these particular criminals are well-known, and word gets out that they leaked the data despite being paid, future are victims less willing to pay them(?).

7 Answers

The other answers focus on that it's not possible, so I will instead focus on how it could be possible. I'll leave it up to the reader to determine whether it is realistic or not.

Trusted 3rd party

It's entirely up to the attacker to create a system where they can prove that the data is secure. Once they have the data in their hands, it's too late. That's why they need to give the data directly to a 3rd party that both they and the company trust. It is also crucial that the 3rd party provides the information necessary to prove both that they have the data (e.g. file names and sizes) and that nobody has accessed it (e.g. a download count).

Here's how an attack could go:

  1. The attacker convinces an employee to upload the data to an account on the 3rd party through social engineering. The attacker controls this account and can potentially download the data.
  2. The attacker shows proof of upload to the company and makes the demand.
  3. When the ransom is paid, the attacker hands over the 3rd party account to the company, who then locks the attacker out of the account.
  4. The company verifies with the 3rd party that the data has not been accessed, then deletes the account and all the data.

Note how extremely limited the attack vectors are. The attack only works if someone the company trusts uploads the data. Furthermore, the attacker is greatly limited in infiltrating the company: If they inadvertently give themselves inauditable access to the data, it would make the above poof meaningless.

Answered by Fax on November 8, 2021

From a crime-business point of view, things can only get worse.

Technically, data that is copied cannot be remotely deleted or self-destroyed, nor prevented from doing additional copies. Not finding the stolen data already in the black market is pointless. Criminals might want to keep such data in the fridge for future use.

Both In my opinion, and judging from past cases of sextortion, the case may result in an endless blackmail until some condition is reached.

In known sextortion cases, criminals never deleted the offending material and continued to blackmail victims to pay a small fee regularly to keep the material private. This has a lot of common points with regualr mafia who demand money from shop-owners.

Cyber criminals are starting to act like traditional mafia, but they can use technology to remain mostly anonymous without need for consensus, bribery or threat to police officers.

It is believable than new criminal businesses will transform into ransom fees intended not to divulge yet the information stolen.

It can be hypotesized that the ransom will end when data stolen is enough out of date so that the harm done by publishing information is not enough to cover the current, past and future fees (anectode: if you are living all your life in a rent apartment, you should have bought it long ago), or when the company is ready to be put out of business in favour of a new company inheriting lots of assets.

These are just hypoteses

Answered by usr-local-ΕΨΗΕΛΩΝ on November 8, 2021

There is no way to know if the criminal really deleted the data.

All readable data can be copied, and copies can be encrypted to prevent detection.

I speculate that the criminals rarely actually delete the data in these types of situations. I would assume they keep a copy:

  1. for personal use
  2. to sell right before going completely underground, or
  3. to sell in fragments so the original source will be difficult to detect

When a company claims that all copies of compromised data have been deleted, it is wise to treat such a claim with great suspicion.

Answered by RockPaperLz- Mask it or Casket on November 8, 2021

Reputation is an important asset for an extortionist. They will not be paid if they are known not to obey the deals.

Then again, anonimity is another important asset for any criminal (as in not being caught and prosecuted).

So in practice, all these extortionists share a common "body of reputation" and everyone of them has their very own "prisoner's dilemma". They can try to get some more money and gradually ruin the business model for everyone doing the same (including themselves) and also face some resistance from their coleagues - or - obey the deals, not get the extra money now and keep the business model strong.

The data crimes also have the extra peculiarity that the criminals can keep the data indefinitely and either decide the dilemma later or lose themselves the control over the data (and get extorted themselves). Keeping the data, they also risk the data and their connection to it being found later by the law enforcement.

The practice shows than in most (but not all!) cases the extortionists obey the deals.

Answered by fraxinus on November 8, 2021

They can't. There is no way to prove that one does not possess some information. So whenever someone claims that they destroyed all copies they had of a piece of information, you have nothing but their word that this is true.

Answered by Philipp on November 8, 2021

Deliberately infect your systems with viruses that trigger when removed from your network.

How to make sure that the hackers delete your stolen data? I'm not a computer security professional, but here's an idea: infect it all with computer viruses that'll destroy their computers if they don't. If the data they downloaded stays encrypted, or they delete the data, they won't have anything to worry about. However, if they decrypt it so that they can harvest data for sale on the black market, the viruses will check their location, and upon finding that they are no longer on your system, they can begin to wreak havoc on the hacker's machines.

Of course, this would only work if you deploy these measures before the breach takes place, and you would want to make sure that your API strips out these viruses before sending out any data to authorized users of your cloud service. Additionally, having each file (or some certain subset of them) periodically checking their location would doubtlessly consume computing power and reduce the efficiency of your cloud computing platform, and thereby increase the cost of running it. Additionally, these measures might not be legal in all locations, and may leave you liable for the damages that the hackers suffered as a result of setting off your booby trap.

You would also need to design your cloud database to use a file type capable of carrying a viral payload, as well, such as Microsoft Word or Excel documents.

Answered by nick012000 on November 8, 2021

How can the company be certain that the data is destroyed,

It cannot be certain. The only hope that it is part of the criminals business model to maintain a good reputation in that one gets what is claimed.

But business models might change. For example if the existing ransomware business does not provide enough profit anymore it might be worth checking if one can get more profits from previously collected (and not actually deleted) data.

... what reparation can it get if it is found later that the data is passed on after payment?

None. They are dealing with criminals in the first place.

Answered by Steffen Ullrich on November 8, 2021

Add your own answers!

Related Questions

Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP