"Sometimes the threat actors say they have access to the data, but not actually have anything," he said.
And the problem doesn't go away once the payment is made.
"There's no way to get proof that they actually deleted the data," he said. "It all depends on the threat actor, on their emotional state."
Carmakal said that Mandiant is not prepared to release hard numbers about this kind of extortion, but said that it has seen more of these kinds of cases last year than in any previous year.
Another type of attack that is becoming increasingly prevalent is one where the target company's systems are completely destroyed.
"The victim cannot do business," Carmakal said. "It's fairly impactful to the organizations that this has happened to."
Criminals have long deleted data to cover their tracks, he added, but they tended to limit themselves to log files.
"They want to continue to steal data," he said. That means that there has to be a functioning company left behind.
"When an organization has their data wiped, it was done to embarrass the organization, cripple them, and prevent them from making money," he said. Attackers range from people who have a particular vendetta against a particular organization to nation-state actors.
Sign up for CIO Asia eNewsletters.