53

Cloud computing provider Blackbaud reported on https://www.blackbaud.com/securityincident "...the cybercriminal removed a copy of a subset of data from our self-hosted environment. ... we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed."

How can the company be certain that the data is destroyed, and what reparation can it get if it is found later that the data is passed on after payment?

I couldn't find any technical solution on Google. I guess the only assurance is the criminals' "reputation": if these particular criminals are well-known, and word gets out that they leaked the data despite being paid, future are victims less willing to pay them(?).

Peter Mortensen
  • 877
  • 5
  • 10
Gnubie
  • 573
  • 1
  • 4
  • 7
  • 13
    The article says "Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that [...] data was or will be misused". They could have tried to find the stolen data on the black market, or tried contacting the criminals pretending to be other criminals willing to pay for the stolen data (and confirmed the data was unavailable), but I doubt they actually went so far. There's no way to know what their research and investigation involved exactly. – reed Jul 21 '20 at 16:46
  • 31
    Only if one is dealing with an honest criminal. – waltinator Jul 22 '20 at 14:29
  • 1
    Interestingly, the criminals income model falls apart if they aren't trusted to destroy the data, so it's often in their best interest to convince everyone they do so. And the best way to do build that trust is to actually do it. – Mooing Duck Jul 23 '20 at 19:49
  • 1
    Like @MooingDuck said, the cybercriminals have a very strong interest in being able to help you verify their identity as one of the gangs that do keep to their word. So you need to verify their identity, very carefully. If you can't verify they are who they claim they are, really you don't have an incentive to pay up. They have a big incentive to help you verify. – smci Jul 24 '20 at 07:41

7 Answers7

108

How can the company be certain that the data is destroyed,

It cannot be certain. The only hope that it is part of the criminals business model to maintain a good reputation in that one gets what is claimed.

But business models might change. For example if the existing ransomware business does not provide enough profit anymore it might be worth checking if one can get more profits from previously collected (and not actually deleted) data.

... what reparation can it get if it is found later that the data is passed on after payment?

None. They are dealing with criminals in the first place.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 6
    Although they cannot be certain, they could be reasonably confident in some cases. Since nobody here knows the specific details of the agreement we can only speculate, but it's possible a law enforcement agency was involved in the negotiation, and that prosecution will only happen if the information is later revealed. The company could want to avoid prosecution because it would lead to revelation of confidential information in court. If the criminal later violates the agreement, they could be subject to prosecution. Perhaps the criminal was a former employee with a grievance, for example. – barbecue Jul 21 '20 at 23:09
  • 32
    Note that their reputation is only damaged if a leak can be traced back to them. If you're relying on them to be a well behaved scorpion while you give them a ride across the river, you're gonna have a bad time. – corsiKa Jul 22 '20 at 07:12
  • 2
    This relies on the idea that you know which criminal has gained access to your data. If they aren't terrible at their jobs they should be entirely anonymous. Even if they did later leak the data despite your payment, whose reputation would be damaged? – Kevin Jul 22 '20 at 16:42
  • @KevinWells Criminals can be pseudo-nonymous, and data-theft criminals might be repeat offenders. – Yakk Jul 23 '20 at 13:46
18

They can't. There is no way to prove that one does not possess some information. So whenever someone claims that they destroyed all copies they had of a piece of information, you have nothing but their word that this is true.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 5
    Plus, you're dealing with criminals. I'm pretty sure they'd lie just as much as a politician. – PeteCon Jul 22 '20 at 19:57
10

Reputation is an important asset for an extortionist. They will not be paid if they are known not to obey the deals.

Then again, anonimity is another important asset for any criminal (as in not being caught and prosecuted).

So in practice, all these extortionists share a common "body of reputation" and everyone of them has their very own "prisoner's dilemma". They can try to get some more money and gradually ruin the business model for everyone doing the same (including themselves) and also face some resistance from their coleagues - or - obey the deals, not get the extra money now and keep the business model strong.

The data crimes also have the extra peculiarity that the criminals can keep the data indefinitely and either decide the dilemma later or lose themselves the control over the data (and get extorted themselves). Keeping the data, they also risk the data and their connection to it being found later by the law enforcement.

The practice shows than in most (but not all!) cases the extortionists obey the deals.

fraxinus
  • 3,425
  • 5
  • 20
  • 2
    Having a provable consistent identity is probably key to these bigger randomware groups. If you get hacked by "group xyz" and the message is signed by "xyz", and you can then ddg "xyz randomsomeware" and see if anyone else has paid and what the outcome was. Sure, you can never prove that data will be deleted, but you can be pretty sure that you will get your data back if others have gotten it back in the past. Having a provable consistent identity is easy with a private gpg key, so you can be sure you are not dealing with "abc", an impersonator of "xyz". – Carson Graham Jul 23 '20 at 19:59
  • Agree. It depends on the degree the crime is organized. In this case, they have their own reputation and also plans for the future. – fraxinus Jul 23 '20 at 21:40
  • "The practice shows than in most (but not all!) cases the extortionists obey the deals." How do we know? – AnoE Jul 24 '20 at 11:29
  • Messages of repeat extortion are quite rare in the media. – fraxinus Jul 24 '20 at 13:48
  • @AnoE We have lots of reports of people getting their data back, and very few reports of the data also showing up elsewhere – Mooing Duck Jul 24 '20 at 16:22
  • Note: in the case I asked about, it's not so much about getting the data back, but ensuring the data is not used. – Gnubie Jul 25 '20 at 00:27
3

There is no way to know if the criminal really deleted the data.

All readable data can be copied, and copies can be encrypted to prevent detection.

I speculate that the criminals rarely actually delete the data in these types of situations. I would assume they keep a copy:

  1. for personal use
  2. to sell right before going completely underground, or
  3. to sell in fragments so the original source will be difficult to detect

When a company claims that all copies of compromised data have been deleted, it is wise to treat such a claim with great suspicion.

RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
2

From a crime-business point of view, things can only get worse.

Technically, data that is copied cannot be remotely deleted or self-destroyed, nor prevented from doing additional copies. Not finding the stolen data already in the black market is pointless. Criminals might want to keep such data in the fridge for future use.

Both In my opinion, and judging from past cases of sextortion, the case may result in an endless blackmail until some condition is reached.

In known sextortion cases, criminals never deleted the offending material and continued to blackmail victims to pay a small fee regularly to keep the material private. This has a lot of common points with regualr mafia who demand money from shop-owners.

Cyber criminals are starting to act like traditional mafia, but they can use technology to remain mostly anonymous without need for consensus, bribery or threat to police officers.

It is believable than new criminal businesses will transform into ransom fees intended not to divulge yet the information stolen.

It can be hypotesized that the ransom will end when data stolen is enough out of date so that the harm done by publishing information is not enough to cover the current, past and future fees (anectode: if you are living all your life in a rent apartment, you should have bought it long ago), or when the company is ready to be put out of business in favour of a new company inheriting lots of assets.

These are just hypoteses

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
1

The other answers focus on that it's not possible, so I will instead focus on how it could be possible. I'll leave it up to the reader to determine whether it is realistic or not.

Trusted 3rd party

It's entirely up to the attacker to create a system where they can prove that the data is secure. Once they have the data in their hands, it's too late. That's why they need to give the data directly to a 3rd party that both they and the company trust. It is also crucial that the 3rd party provides the information necessary to prove both that they have the data (e.g. file names and sizes) and that nobody has accessed it (e.g. a download count).

Here's how an attack could go:

  1. The attacker convinces an employee to upload the data to an account on the 3rd party through social engineering. The attacker controls this account and can potentially download the data.
  2. The attacker shows proof of upload to the company and makes the demand.
  3. When the ransom is paid, the attacker hands over the 3rd party account to the company, who then locks the attacker out of the account.
  4. The company verifies with the 3rd party that the data has not been accessed, then deletes the account and all the data.

Note how extremely limited the attack vectors are. The attack only works if someone the company trusts uploads the data. Furthermore, the attacker is greatly limited in infiltrating the company: If they inadvertently give themselves inauditable access to the data, it would make the above poof meaningless.

Fax
  • 175
  • 6
-17

Deliberately infect your systems with viruses that trigger when removed from your network.

How to make sure that the hackers delete your stolen data? I'm not a computer security professional, but here's an idea: infect it all with computer viruses that'll destroy their computers if they don't. If the data they downloaded stays encrypted, or they delete the data, they won't have anything to worry about. However, if they decrypt it so that they can harvest data for sale on the black market, the viruses will check their location, and upon finding that they are no longer on your system, they can begin to wreak havoc on the hacker's machines.

Of course, this would only work if you deploy these measures before the breach takes place, and you would want to make sure that your API strips out these viruses before sending out any data to authorized users of your cloud service. Additionally, having each file (or some certain subset of them) periodically checking their location would doubtlessly consume computing power and reduce the efficiency of your cloud computing platform, and thereby increase the cost of running it. Additionally, these measures might not be legal in all locations, and may leave you liable for the damages that the hackers suffered as a result of setting off your booby trap.

You would also need to design your cloud database to use a file type capable of carrying a viral payload, as well, such as Microsoft Word or Excel documents.

nick012000
  • 581
  • 1
  • 3
  • 7
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/111029/discussion-on-answer-by-nick012000-how-can-a-company-ensure-cybercriminals-destr). – Rory Alsop Jul 25 '20 at 19:27