The good news about cyber criminals who go in for extortion is that they also tend to be liars. The bad news -- they're extremely difficult to catch.
Wade Woolwine, manager of strategic services at Rapid7, has dealt with his share of blackmailers who steal sensitive data from enterprises and then hold it for ransom.
Companies call in Rapid7 to help them figure out whether the blackmailers do, in fact, have the data they claim to have, to learn how they got into the system and to get them out, and to figure out how to deal with the blackmail itself.
Woolwine said that he's worked on under a hundred of these cases.
About a quarter of the time, the customer caves in and pays the ransom, typically between $10,000 and $25,000.
In return, the blackmailers promise to delete the data they stole.
Of course, there's no guarantee that the blackmailers will actually do that.
"There's the rub," Woolwine said. "They may not delete it. That's why the advice we give to customers is to not deal with attackers. Reach out to law enforcement and reach out to an incident response firm."
The other three quarters of the victims don't pay up. Some investigate first, and decide that the hackers don't actually have the data that they claim to have. Others just decide not to deal with the criminals.
Plus, if it's personally identifiable information that gets stolen, it still counts as a data breach whether a company pays up or not. No regular is going to take a criminal's word for it that they've deleted the data.
In either case, the blackmailers haven't followed through with their promises to expose the data.
"In the particular cases we've investigated, it's been an empty threat," Woolwine said.
One reason could be is that the data these guys go after -- trade secrets, source code, and intellectual property, is too hard to fence.
Or it could be that it's just not worth their time.
"They tend to move onto to the next victim," said Woolwine. "They're trying to find the most defenseless victim to go after and the victims are out there right for the picking."
Given their high success rate and the high ransom amount, even information like Social Security numbers, which has a ready market, isn't worth the effort.
"It's getting to the point where selling personally identifiable information on the open market is not as lucrative," he said.
Meanwhile, although he advises enterprises to call in the authorities when they're hit with an extortion attempt, he admits that it rarely does any good.
"They get caught approximately zero percent of the time," he said. "They are very cunning and they are typically in countries where the U.S. does not have extradition treaties or else they hide very well."
Sign up for CIO Asia eNewsletters.