Salesforce says it’s refusing to pay an extortion demand made by a crime syndicate that claims to have stolen roughly 1 billion records from dozens of Salesforce customers.
The threat group making the demands began their campaign in May, when they made voice calls to organizations storing data on the Salesforce platform, Google-owned Mandiant said in June. The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly—but not surprisingly—many of the people who received the calls complied.
It’s becoming a real mess
The threat group behind the campaign is calling itself Scattered LAPSUS$ Hunters, a mashup of three prolific data-extortion actors: Scattered Spider, LAPSuS$, and ShinyHunters. Mandiant, meanwhile, tracks the group as UNC6040, because the researchers so far have been unable to positively identify the connections.
Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was “989.45m/~1B+.” The site called on Salesforce to begin negotiations for a ransom amount “or all your customers [sic] data will be leaked.” The site went on to say: “Nobody else will have to pay us, if you pay, Salesforce, Inc.” The site said the deadline for payment was Friday.
In an email Wednesday, a Salesforce representative said the company is spurning the demand.
“I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand,” the representative wrote. The confirmation came a day after Bloomberg reported that Salesforce told customers in an email that it won’t pay the ransom. The email went on to say that Salesforce had received “credible threat intelligence” indicating a group known as ShinyHunters planned to publish data stolen in the series of attacks on customers’ Salesforce portals.
The refusal comes amid a continuing explosion in the number of ransomware attacks on organizations around the world. The reason these breaches keep occurring is the hefty sums the attackers receive in return for decrypting encrypted data and/or promising not to publish stolen data online. Global Ransom Payments totaled $813 million last year, down from $1.1 billion in 2023, security firm Deepstrike estimated. The group that breached drug distributor Cencora alone received a whopping $75 million in ransomware payments, Bloomberg reported, citing unnamed people familiar with the matter.
Making ransomware payments has come increasingly under fire by security experts who say the payments reward the bad actors responsible and only encourage them to pursue more riches still.
“Corporations shouldn’t be directly funding organized crime with the support of the National Crime Agency and their insurance," independent researcher Kevin Beaumont wrote on Mastodon, referring to the UK’s National Crime Agency. “Break the cycle.”
While the NCA publicly recommends against paying ransoms, Beaumont said in an interview, multiple organizations he’s talked to report having NCA members present during ransom negotiations. On Mastodon, he warned payments pose threats to broader security.
“It’s becoming a real mess to defend against this stuff in the trenches, let me tell you,” he wrote. “I am concerned about where this is going.”
OpenAI’s Nick Turley on transforming ChatGPT into an operating system