08 Oct The Hackers Don’t Want Your Money — They Want Your Business Model

The Vault Becomes Hostage: Ransomware, Extortion & the New Risk Frontier

In October 2025, Salesforce made headlines by telling its clients unequivocally: “We will not pay hackers.” Bloomberg The declaration followed a dramatic extortion campaign by a hacking coalition calling themselves Scattered LAPSUS$ Hunters, which claimed to have seized nearly one billion Salesforce records across dozens of customer instances. BankInfoSecurity+3Reuters+3TechCrunch+3

Suddenly, the question isn’t if your data might be attacked — it’s who foots the bill, what’s exposed, and how do you recover in a world built on sharing.

Here’s a deeper look.

The Salesforce Case: Anatomy of a New Kind of Attack

What Happened (Or at Least, What the Hackers Claim)

• The hackers launched a data leak site listing 39 organizations, claiming data stolen from their Salesforce-hosted CRM instances. UpGuard+3Help Net Security+3BankInfoSecurity+3

• They publicly demanded a ransom from Salesforce itself — not just from downstream victims — threatening to release data if the company didn’t negotiate. SecurityWeek+2BankInfoSecurity+2

• The extortion demand rose to ~$989 million according to some reports. Computing+2BankInfoSecurity+2

• Salesforce has denied that its platform was compromised and refused to pay. UpGuard+3Bloomberg+3Capacity+3

• Some of the attacks appear tied to social engineering / voice phishing (vishing) — attackers posing as internal staff to gain credentials. Hackread+3Salesforce Ben+3Cybernews+3

• Google confirmed that one of its Salesforce instances was breached in this campaign, attributing the attack to UNC6040 / ShinyHunters. Salesforce Ben+3SecurityWeek+3TechCrunch+3

Why It’s Dangerous

• Double extortion is table stakes now: attackers both encrypt or exfiltrate data and threaten public publication.

• The supply chain is the battleground: because so many companies depend on shared platforms (CRM, cloud, SaaS), vulnerabilities cascade.

• Ransom → reputation & legal risk: paying may unlock data, but also signals weakness and invites copycats. Refusing may escalate public exposure.

• Attribution and negotiation complexity: when multiple hacker groups collaborate, it becomes harder to pin identities, understand motives, or negotiate credibly.

Other Cases You Should Know

Change Healthcare / ALPHV-Blackcat

In early 2024, Change Healthcare — part of UnitedHealth’s tech infrastructure — confirmed a ransomware breach. The ALPHV / Blackcat group claimed to have exfiltrated 4 terabytes of data. Change Healthcare reportedly paid ~$22 million. The HIPAA Journal

But paying didn’t guarantee deletion. The hackers reportedly engaged in an exit scam — claiming to delete while retaining copies. The HIPAA Journal

Ingram Micro (SafePay Ransomware)

In mid-2025, Ingram Micro — major global IT distributor — suffered a ransomware disruption attributed to SafePay. Systems were taken offline; partners and customers faced supply chain delays. PKWARE®

Lee Enterprises (Qilin Ransomware)

Lee Enterprises, a publishing group, saw a breach that exposed ~40,000 Social Security numbers, caused operational disruption, and spurred costs in recovery and public trust. CM Alliance

Others & Trends

• The Knights of Old transportation firm (UK) collapsed after a ransomware attack centered on a simple guessed password. Tom’s Hardware

• Ransomware groups are forming alliances (LockBit, Qilin, DragonForce) to share infrastructure and amplify reach. The Hacker News

• Exploits against cloud services (e.g. Oracle E-Business Suite, GoAnywhere MFT) are increasingly used as pivot points. BleepingComputer+1

What This Means for Companies in a Hyper-Connected World

1. The Threat Envelope Has Grown

No organization is an island. Whether it’s a CRM, ERP, cloud storage, or API partner, exposure multiplies with every integration. A vulnerability in one node can compromise many.

2. Paying Is Not a Panacea — It’s a tactical gamble

Payment may get a decryption key or delay a data leak — but it may also encourage further demands or future attacks. Some victims never recover the full trust or data.

3. Security must be baked, not bolted

Too many defenses assume perimeter-based protection. The new reality demands:

• Zero trust architectures

• Rigorous identity & access controls

• Least privilege segmentation

• Real-time monitoring & threat detection

• Red team / adversarial testing

• Incident playbooks, legal readiness, and crisis communication plans

4. Transparency & resilience become differentiators

In breach events, how a company responds — speed, candor, mitigation — becomes part of its brand equity.

5. Culture & training matter — especially social engineering

Many of these breaches begin with a voice call, phishing email, or credential pivot. Human error is still the path of least resistance.

M2 Take: The Shared Infrastructure Is Now the Attack Surface

We live in an era of “platform interdependence” — the digital scaffolding that enables flexibility is also what attackers exploit. That means:

• The question is no longer if you’ll face a breach, but when and how you will respond.

• Strategic advantage will shift toward organizations that anticipate breach dynamics, contain damage, and preserve trust — not those that hide from risk.

• Relationship maps matter: vendors, SaaS partners, contractors — every node must be secured or accounted for.

• Investments in resilience, identity, forensic readiness, and narrative control are now baseline requirements.

• Finally — and perhaps most importantly — data is no longer just an asset. In the wrong hands, it’s a liability. The ability to engineer “safe failure” (i.e. isolating parts, minimizing exposure, rapidly recovering) may become your greatest competitive strength.

In short: the vault is under siege. The fight is no longer behind walls or firewalls — it’s in identity, behavior, trust, and how fast you move when the lights go out.