The extortion campaign began in May, when the threat group made voice calls to organizations using the Salesforce platform, according to Google-owned Mandiant's June report. The English-speaking callers used pretexts to trick targets into connecting attacker-controlled apps to their Salesforce portals, with many complying.

The group, a mashup of actors including Scattered Spider, LAPSuS$, and ShinyHunters, calls itself Scattered LAPSUS$ Hunters, while Mandiant tracks it as UNC6040 due to unclear connections. Earlier this month, they launched a website naming Toyota, FedEx, and 37 other Salesforce customers as victims, claiming to have stolen '989.45m/~1B+' records. The site demanded Salesforce negotiate a ransom, stating: “Nobody else will have to pay us, if you pay, Salesforce, Inc.” It warned that failure to pay by Friday would lead to data leaks.

In a Wednesday email, a Salesforce representative confirmed: “I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand.” This followed a Bloomberg report that Salesforce had informed customers of its refusal, citing “credible threat intelligence” about ShinyHunters planning to publish the stolen data.

The decision aligns with growing criticism of ransomware payments, which totaled $813 million globally last year, down from $1.1 billion in 2023, per Deepstrike estimates. One breach at drug distributor Cencora reportedly yielded $75 million in payments. Security researcher Kevin Beaumont urged: “Corporations shouldn’t be directly funding organized crime with the support of the National Crime Agency and their insurance. Break the cycle.” He noted concerns over the UK's NCA recommending against payments while allegedly being present in some negotiations, warning it complicates defenses against such threats.