The recent extortion attempt targeting Salesforce by the Scattered Spider group represents a new threat model: ransomware that not only seeks to encrypt data but also damage an organization’s reputation. The group claims to have gained access to the company’s systems and posted a message with a deadline (October 10) for a ransom payment. However, Salesforce has denied any direct intrusion, emphasizing that its core infrastructure remains secure.
These types of incidents confirm what we have already seen in other cases such as the ransomware attack on the NHS or the airline ransomware: Cybercriminals seek both financial gain and media impact.
In this a debate among LinkedIn experts analyzes how Salesforce has managed communication and how transparency can be key in the face of public pressure.
A modern, hybrid and media extortion
Groups like Scattered Spider no longer rely exclusively on encryption. They operate under a hybrid model that combines leaks, blackmail, and narrative manipulation.
They publish company names, alleged evidence of data theft, or even fake timelines to lend credibility to the threat. In the Salesforce case, the attackers claim to have had prior contact since July 2025, constructing a coherent, though unverified, narrative.
These strategies resemble what has already been observed in incidents such as the ransomware and rail transport, where criminals combine social engineering tactics with online disinformation campaigns.
Psychology, AI, and manipulation: the new front for ransomware
The note addressed to Salesforce demonstrates a deep understanding of the human factor: dates, personalized messages, and corporate language.
Extortion becomes more credible when presented as a previous conversation or incident.
This phenomenon is enhanced with the arrival of AI in cybersecurity: Attackers use artificial intelligence to compose more realistic messages, mimic voices, or generate fake documents.
Crisis management and corporate reputation
Reputational damage occurs even without confirmation of the breach. A simple mention on a leak site can be enough to trigger a reaction from the media and investors.
Therefore, companies must incorporate strategies for Crisis Management and digital communication for your cybersecurity plans.
Salesforce’s response—denying the compromise, reaffirming security, and constantly communicating—is an example of how to contain the impact and prevent misinformation.
This coordination between cybersecurity, legal, and communications has also been seen in other ransomware success stories, where public reaction made the difference between a crisis and a reputational recovery.
To reinforce your preparation, we recommend exploring the HelpRansomware’s anti-ransomware guides and resources, including guidelines on prevention, response, and digital reputation management.
Immediate Ransomware Help
Don’t let ransomware hold your business hostage. Our experts are ready to recover your data and secure your systems.
Lessons from the Salesforce case
- Ransomware no longer just encrypts data – it now also hijacks public trust.
- AI amplifies the reach and credibility of threats.
- Reputation has become the new battlefield.
- Responding with evidence, not fear, is key to maintaining credibility.
If your organization is facing a threat, review our guide on what to do if a ransomware attack has encrypted your data, with clear steps to act quickly and effectively.
