It’s tax season where I live in Canada—that small window of time in which personal and, in some cases, corporate tax returns are due to be filed. For many, the process is daunting enough to justify hiring a professional. After all, you trust that they’ll complete and submit your paperwork accurately and on time.
Imagine a few months later receiving notice from the government that your taxes are overdue, and that you’re subject to interest and late payment fees. Your confusion turns to panic as you discover that the money you thought went to taxes is gone, and the accountant, long since paid, is no longer returning calls.
It turns out the accountant embezzled funds from many clients, including you, before skipping town. Had you known of their criminal intent in advance, you wouldn’t have hired them in the first place, and certainly not paid them, right?
In the world of cybercrime, individuals and organizations regularly pay criminals with similarly distressing outcomes. To be fair, some victims do get their data back and eventually resume normal operations. But despite all of the assurances and guarantees ransomware groups may offer, there’s no reliable way to confirm that any exfiltrated data was deleted to ensure against future misuse.
At issue is the fact that the ransomware criminals try to balance two opposing objectives:
- They want to establish a reputation of credibility to give victims some assurance, however modest, that the promises made during ransom negotiations will be honored. This reputation, or brand, also helps to attract the most productive affiliates—those groups or individuals who identify, breach and compromise the data of victims on behalf of the ransomware groups.
- Being financially motivated, they also want to maximize the revenue they extract from victims. After a ransom demand is paid, stolen data still has value for targeting the individuals or companies the data contains. Money can be made by extorting these new victims, Fraudulent Fund Transfer schemes, or targeted phishing campaigns.
When faced with the unenviable position of negotiating with cyber criminals, victims are best served by being informed about how criminals behave rather than what they promise. Let’s look at a couple of recent examples to illustrate the risks involved.
LockBit
LockBit is one of the most successful ransomware groups ever, with revenues possibly topping $1billion. Such criminal success tends to attract the attention of international law enforcement, and throughout 2024 there was concerted effort to identify those behind the group and take down their infrastructure.
A significant win came on February 20, 2024 when Operation Cronos, a taskforce by the UK’s National Crime Agency (NCA), the FBI, law enforcement from 9 other countries, seized LockBit’s infrastructure. The action included the naming of hundreds of LockBit affiliates, which diminished their credibility with affiliates and no doubt made many of them very nervous, fearful that law enforcement may soon come knocking.
An intriguing game of cat and mouse followed, culminating in May when the taskforce publicly identified Dmitry Khoroshev as LockBit’s administrator and lead developer. Perhaps more importantly, they also confirmed that LockBit did not routinely delete stolen data after ransom payments were made.
With this revelation in mind, victims must ask themselves: why negotiate and pay a ransom when ransomware groups don’t keep their end of the bargain? LockBit is surely not the only one that doesn’t honor their promises.
PowerSchool
PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that supports over 60 million students and over 18,000 customers worldwide. In early January 2025, the company announced it had been hacked—compromising student records from over 6,500 school districts across the U.S., Canada, and other countries.
Fear not, we were told—PowerSchool had brought in experts to negotiate with the attackers, paid the ransom, and even received assurances (video evidence, no less!) that the stolen student data had been deleted.
But not all stories have happy endings—and trusting cybercriminals to keep their word is, at best, naïve. In fact, agencies like the FBI and CISA explicitly advise against paying ransoms. Sure enough, just months after the ransom was paid, the Toronto District School Board found itself being extorted. In a May 7 release, PowerSchool confirmed that the very same data—supposedly deleted—was being used again to extort multiple school districts.
Why paying doesn’t pay
There are many reasons to question whether paying an extortion demand is the right thing to do. The money funds criminal R&D which results in ever more sophisticated attacks which can even put lives at risk in some cases. Paying ransom to recover stolen data is fraught with ethical and possibly legal issues. But perhaps the most fundamental issue is this: criminals aren’t trustworthy. Once the money is transferred, there’s no guarantee they’ll honor any promise made during negotiations.
Final thought
In the heat of a crisis, paying a ransom can seem like the quickest path to resolution. But as the PowerSchool incident shows, handing over money to criminals doesn’t guarantee the protection of your data—or that of your students, customers, or employees.
Now is the time to assess your cyber defenses. Investing in prevention may spare you the agony of deciding whether or not to pay an extortion demand in the future. Because just like you wouldn’t knowingly hire a crooked accountant, you shouldn’t put your trust—or your money—in the hands of cybercriminals.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialFor more insights on ransomware attacks and how to protect your organization, explore our Spotlight on Ransomware. We’ve curated a collection of articles, case studies, and strategies to help you stay informed and prepared.