[Crosseye_Jack]

1) Entity gets hacked

2) Hackers exfiltrate data from the target (this could be source code, database dumps, employee records, emails, or any combination of the above - basically anything that could be seen that has value to the company staying private.

3) Depending on the model used, the hackers either privately or publicly informs entity they have their data and unless a payment of X if made the data will get leaked or sold to the highest bidder.

[andersa]

I don't understand how anyone would ever pay. There is nothing guaranteeing you the hackers actually destroy their copy of the data on payment, so they could just come back and ask you for another payment every few months.

Or are we really supposed to believe these criminals would follow some sort of made up honor code?

[Crosseye_Jack]

You are completely right, they are criminals there is nothing stopping them from just dumping the data anyway (or launching another attack later down the road).

However the hackers also want to get paid, as soon as they go back on their word no one else will ever pay them.

But there is another "maybe" to consider (OP did ask for a brief explanation so I didn't go into all possibilities), did they encrypt the data? If they did and entity no longer has access to it they then have two options 1) restore the data from backup (if they had them and can restore service in a reasonable amount of time) / write off any data loss 2) pay up for the keys.

[google234123]

Or… they do the extortion thing and then change the name of their group and go again without the untrustworthy baggage

[setr]

With no reputation, you’re presumably less likely to have victims pay up. You want to build reputation so you can get consistent profit from these extortions.

[dest]

Interesting game theory scenario

[setr]

I don’t know if it’s really that interesting; reputation is just a fundamental currency required to facilitate trade when it can’t be guaranteed otherwise — there is in fact an honor amongst thieves.

These arm-chair game theory arguments tend to fall apart instantly as soon as you assume multiple rounds are played.

[neffo]

> However the hackers also want to get paid, as soon as they go back on their word no one else will ever pay them.

The hackers are the real victims here

[shric]

They have an incentive to uphold their end, otherwise they will never be able to extort someone else in the future.

[andersa]

Aren't they all anonymous, though? So they could just change their name for the next operation. Maybe all these groups are already the same people behind the scenes.

[addaon]

You're missing the incentives. They /could/ change their name each operation, but then, as you note, the target would have reduced motivation to actually pay. By keeping their name, and keeping their word, customers are more likely to pay in the future, because there's a history of good faith transactions. And, of course, a group that is relying on their reputation like this must police their trademark and prevent other groups from abusing it.

[PLenz]

"Good faith" is a difficult to grasp concept when concerning people who are holding your data for ransom

[k_roy]

"good faith" == "continued future income".

There isn't any measure of morality or honor involved like you are suggesting.

[op00to]

If the criminals get a reputation for dumping data after you pay, no one will pay anymore. It’s not honor, its customer service.

[xvector]

Their business model wouldn't work if they did a double random. It's not an honor code but a common sense code.

[google234123]

Which is why it should be illegal to pay them off