Salesforce says it will not negotiate or pay an extortion demand from a crime group that claims to have stolen roughly one billion records from customers using its platform.
The threat actors began their campaign in May, using voice calls to lure targets into connecting an attacker-controlled app to their Salesforce portals, according to incident responders at Mandiant.
The group, which calls itself Scattered LAPSUS$ Hunters, is tracked by Mandiant as UNC6040 because analysts have not yet confirmed a formal link among the attackers behind the different monikers. Earlier this month they published a page listing Toyota, FedEx, and 37 other Salesforce customers as victims, claiming nearly 989.45 million records were stolen and threatening to leak all data unless a ransom was paid.
Salesforce confirmed in an email on Wednesday that it would not comply with the ransom demand and that it is continuing to investigate the breach with its customers and law enforcement.
Security researchers say such extortion campaigns highlight the growing risk of social engineering and data exfiltration in the ransomware economy, noting that even large enterprises are vulnerable when attackers blend threats, phishing, and supply-chain style compromises.
