This is one of those ideas that I debate a bit before posting. Either 1) it’s seriously evil and I shouldn’t give anyone the idea, or 2) anyone wicked enough to do it will have already thought about it and/or is already doing it. I’m posting it here because I’m convinced it’s #2.
So the idea is that attackers could pivot from getting users to pay to unlock their files to getting companies to pay not to expose their weak security to the public.
So instead of saying the following to consumers and SMBs:
Hey, I know you need these files, and if you don’t pay me you’ll never get to access them again…
They instead say this to well-known companies that can lose millions of dollars if they make the news:
Hey, you have a reputation of safeguarding customer data, but here’s a ton of evidence that you’re not very good at it (screenshot). Pay us $5,000 or we will tell the following journalists (list) how easy it was to steal this data from your company.
I think a lot of companies would pay that. And even if the journalist angle didn’t work they could just announce it on Twitter and post the content on Pastebin.
Having good backups fixes the ransom problem because you don’t care that they can delete it. But disclosing that they could get to the data in the first place—that’s different. Backups don’t help you there.
Think about all the security vendors out there—all the companies whose business models are based on people trusting them. What would they lose by being embarrassed in this way? What would they lose in lost customers and revenue?
A lot more than they’d pay for the first ransom, probably. And it’d at least give them some time to formulate a PR response.
Like I said, this is probably already happening, and it just might get more popular.
Remember that defenses can be good against one attack (backups against ransom) while being weak against another (extortion vs. loss of trust).
Prepare for both.