Full Report
We have probably all read recommendations that cyberattack victims should not pay ransom demands because it encourages more crime, and because criminals can’t be trusted to delete data they promise to delete. But what evidence have we seen supporting a claim that criminals default on data deletion? Law enforcement made a point of reporting that... Source
Analysis Summary
# Incident Report: Analysis of Threat Actor Ransomware Deletion Promises
## Executive Summary
This report analyzes the veracity of threat actor (TA) claims regarding data deletion following ransom payments. While law enforcement, specifically the FBI, maintains that victims should never pay due to the lack of guarantees, industry data from incident response firms suggests that TAs who are paid "very rarely" default on deletion, though technical residuals and intermediary server logs pose a lingering risk.
## Incident Details
- **Discovery Date:** April 5, 2026 (Date of published analysis)
- **Incident Date:** 2024–2025 (Period covering analyzed data)
- **Affected Organization:** Multiple (1,250 clients represented by BakerHostetler)
- **Sector:** Cross-sector (including Healthcare, Legal, and Finance)
- **Geography:** Global (Emphasis on North America and EU)
## Timeline of Events
### Initial Access
- **Date/Time:** 2025 (General timeframe for BakerHostetler report data)
- **Vector:** Ransomware-as-a-Service (RaaS) models.
- **Details:** Access typically gained via phishing, stolen credentials, or unpatched vulnerabilities.
### Lateral Movement
- TAs move through internal networks to identify high-value sensitive data repositories for exfiltration.
### Data Exfiltration/Impact
- **Exfiltration:** Massive data egress used for double extortion. Groups like Scattered Spider, SLSH, and ShinyHunters are noted for leaving data on "intermediary" servers even if primary servers are cleared.
### Detection & Response
- **Detection:** Ransom notes or internal monitoring.
- **Response:** 34% of victims (in BakerHostetler’s study) opted to pay the ransom, primarily motivated by the desire for data deletion rather than just decryption.
## Attack Methodology
- **Initial Access:** RaaS affiliates (Phishing, RDP compromise).
- **Persistence:** Maintaining access through backdoors in intermediary servers.
- **Privilege Escalation:** Domain Admin exploitation to access sensitive file shares.
- **Defense Evasion:** Use of legitimate tools for exfiltration.
- **Credential Access:** Stolen account credentials via infostealers.
- **Discovery:** Scanning for PII/PHI datasets.
- **Lateral Movement:** Movement across servers to maximize leverage.
- **Collection:** Staging data on non-primary backend servers.
- **Exfiltration:** Data transferred through a chain of intermediaries.
- **Impact:** Encryption and/or threat of public leak (Double Extortion).
## Impact Assessment
- **Financial:** Multi-million dollar ransom payments in many instances.
- **Data Breach:** Exposure of PII, PHI, and trade secrets.
- **Operational:** Business downtime for those without functional backups.
- **Reputational:** High risk of brand damage upon data publication.
## Indicators of Compromise
- **Network indicators:** Connections to known RaaS backend infrastructure (e.g., LockBit, Scattered Spider).
- **File indicators:** `.lockbit` or similar encrypted extensions; ransom note artifacts.
- **Behavioral indicators:** Large outbound data transfers to cloud storage providers (Mega[.]nz, etc.).
## Response Actions
- **Containment measures:** Isolation of infected hosts and revocation of compromised credentials.
- **Eradication steps:** Clearing malware and identifying persistence mechanisms.
- **Recovery actions:** Decryption and restoration from backups; legal and forensic analysis of the "proof of deletion."
## Lessons Learned
- **The "Middle-Man" Risk:** Even if a TA deletes data from their primary dashboard, copies often remain on intermediary servers or with affiliates who may not follow the main group's protocol.
- **Verification is Impossible:** There is no technical way to prove data has been deleted with 100% certainty; it is a trust-based transaction with criminals.
- **Policy Divergence:** Official government policy (FBI) and private sector experience (BakerHostetler) differ on the actual frequency of TAs defaulting on deletion promises.
## Recommendations
- **Adopt a "Zero-Trust" Approach to Deletion:** Assume that once data is exfiltrated, it is permanently compromised, regardless of payment.
- **Prioritize Encryption at Rest:** Ensure sensitive data is useless even if exfiltrated.
- **Robust Monitoring:** Focus on egress filtering to prevent the "Double Extortion" phase before it completes.
- **Legal Preparedness:** Consult with incident response firms that have historical data on specific TA groups to gauge the likelihood of a "default" before deciding to pay.