Will Salesforce pay ransomware?

DarkReading.com reported that “After claiming it would shut down, the cybercriminal collective reemerged and threatened to publish the stolen data of Salesforce customers by Oct. 10 if its demands are not met.”  The October 3, 2025 article entitled " Scattered Lapsus$ Hunters Returns With Salesforce Leak Site” (www.darkreading.com/cyberattacks-data-breaches/scattered-lapsus-hunters-returns-salesforce-leak-site) included these comments:

Scattered Lapsus$ Hunters is an apparent combination of the Scattered Spider, Lapsus$, and ShinyHunters cybercriminal groups, which first emerged over the summer in a public Telegram channel. However, just a few weeks later, the collective published a goodbye letter on Telegram and the Dark Web marketplace BreachForums, saying the three groups, as well as other threat actors, had "decided to go dark."

But Scattered Lapsus$ Hunters burst back into the limelight this week with a Dark Web leak site devoted to the recent spate of Salesforce data thefts; one of the two distinct campaigns targeting Salesforce environments recently has been attributed to a threat group tracked by Google as UNC6040, which has claimed to be ShinyHunters in its extortion attempts.

According to Google, UNC6040 actors used vishing calls to convince IT support personnel at targeted organizations to grant them access to or credentials for the organizations' Salesforce environments. Mandiant researchers this week said the threat actors have impersonated third-party vendors in the vishing calls and had also targeted users in victim organizations with elevated access to other SaaS applications.

What do you think?