Ransomware, Breach, Incident Response

Salesforce refuses to pay a ransom in recent wave of attacks

A close-up of the Salesforce sign on a modern glass and steel building, representing the technology industry, cloud computing, and corporate success.

(Adobe Stock)

News that Salesforce has refused to negotiate or pay a ransom  in the recent wave of cyberattacks experienced by at least 39 of its customers was viewed as a double-edged sword by some security professionals.

“Salesforce's public refusal to pay the ransom sets a precedent that discourages future extortion attempts,” MacKenzie Brown, vice president, Adversary Pursuit Group at Blackpoint Cyber. “However, this strategy shifts the risk to their customers, who must now prepare for a potential data leak.”

Bloomberg first reported Oct. 7 that Salesforce emailed its customers telling them that would not pay a ransom and said it was based on "credible threat intelligence" that indicated the threat actors planned to leak the stolen data.

Threat actors reportedly known as Scattered Lapsus$ Hunters are now trying to extort big-name companies, including FedEx, Disney, Home Depot, Marriot, Google and many others.

Damon Small, board member at Xcape, Inc, added that while companies are often tempted to pay a ransom, recent advice from law enforcement and cybersecurity experts alike warns companies to never negotiate with criminals. 

“If an organization pays once, they are likely to pay again,” said Small. “It’s difficult to ensure that all remnants of malware will be removed post-payment, so this type of shake-down will continue.  Companies, particularly those with large amounts of sensitive information, need to assume that such a breach will happen eventually and prepare accordingly by performing regular security assessments and training staff to recognize fraudulent emails.”

Blackpoint Cyber’s Brown said the situation with Salesforce highlights the critical need for organizations to implement comprehensive third-party risk management, especially for SaaS providers. They also need to enhance their own incident response plans to address potential data leaks stemming from a vendor's supply chain.

“This is no longer about just preventing an attack on your own infrastructure,” said Brown. “It highlights this need for third-party risk reviews as we see continued supply chain attacks hit the headlines. Again, while this public stance demonstrates a change in commitment for other organizations to not fund criminal enterprises, it still means that the stolen data will be leaked, passing the buck of mitigation on the customers.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Attack VectorBoot Record InfectorComputer Emergency Response Team (CERT)Stimulus

You can skip this ad in 5 seconds