Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks.
According to IBM’s X-Force researchers, the new tactic it is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. More conventional ransomware attacks, also growing in number, simply encrypt data and demand payment for a decryption key.
Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability, said John Kuhn, senior threat researcher for IBM Managed Security Services.