Firms that pay ransom calls for to cyber criminals within the hope of restoring their IT techniques could also be prone to higher destructive publicity than those who refuse.
An preliminary evaluation of information seized by the Nationwide Crime Company (NCA) within the takedown of the LockBit ransomware group means that one of the simplest ways to keep away from unhealthy publicity could also be to refuse to pay up.
Max Smeets, creator of the ebook Ransom Conflict, was given supervised entry to information on LockBit 3.0 seized by the NCA throughout Operation Chronos, which took down the LockBit ransomware operation, and examined leaked information from LockBit 4.0.
Smeets in contrast press reporting of 100 corporations that paid ransomware with reporting on 100 corporations that refused to pay.
“It seems that you’re extra more likely to have a narrative written about you when you have paid than when you have not paid,” he stated in an interview with Laptop Weekly.
Smeets’ conclusions fly within the face of claims by legal ransomware gangs that corporations that pay up can keep away from unhealthy publicity. He calls it the Streisand impact, whereby in paying a ransom to keep away from publicity, corporations find yourself attracting the very publicity they’re attempting to keep away from.
You usually tend to have a narrative written about you when you have paid [a ransom] than when you have not paid Max Smeets, ransomware skilled
Legislation enforcement has lengthy argued that corporations shouldn’t pay ransom charges as a result of it helps the ransomware ecosystem and there’s no assure that they may get their information again.
“What the information additionally suggests is that you just additionally shouldn’t pay in case you are afraid of public publicity,” stated Smeets, talking to Laptop Weekly on the Black Hat safety convention in London.
The artwork of the unhealthy deal
Smeets’ evaluation additionally revealed simply how ill-prepared many organisations had been when negotiating ransomware funds with LockBit’s legal associates.
Some corporations informed crime gangs upfront that they had been determined to get their information again as they’d no backups, placing them immediately on the again foot in negotiations.
Others tried unsuccessfully to win sympathy with the hackers by claiming that they couldn’t afford to pay the ransom, or that they served the local people.
Smeets additionally discovered that some victims had despatched ransomware gangs copies of their insurance coverage paperwork to point out how a lot they might afford to pay.
Ransomware victims that pay up usually tend to hit the headlines than those who refuse
His findings present that corporations have to be higher ready for ransomware negotiations if the worst occurs.
“There’s a main alternative, particularly for small and medium-sized enterprises, to turn out to be higher in understanding tips on how to interact with these criminals with out making excessive and apparent errors,” he stated.
LockBit’s legal associates comply with a typical playbook for negotiating ransom funds, which generally includes demanding an preliminary ransom, providing to decrypt two information free of charge, and threatening to leak information if organisations don’t pay up.
Smeets discovered that the legal teams have so many victims that they don’t spend time analysing the information they seize to search for compromising materials that might push up the worth of a ransom demand – they’re extra within the subsequent sufferer.
If corporations don’t pay up inside a couple of weeks, associates could also be inclined to imagine that their sufferer’s lack of desperation might imply their ransomware assault didn’t trigger a lot harm. They could be prepared to simply accept smaller funds in return for an settlement to not publish the hacked information.
The belief paradox
Ransomware teams like LockBit deceive and steal, however by some means must persuade victims that they’re reliable sufficient to revive their information in return for a ransomware fee, so status issues.
Operation Chronos not solely destroyed the infrastructure of LockBit, but in addition destroyed its status, Smeets’ analysis reveals.
In February 2024, the worldwide police operation seized LockBit’s servers, its administrative hub, its public-facing web site and its inside communications.
“The NCA not solely went after their technical infrastructure, but in addition tarnished their status by disclosing their lies,” he stated.
For instance, the group stated it will ban the associates that hit a youngsters’s hospital in Toronto – it didn’t, stated Smeets. LockBit additionally promised to delete victims’ information from its servers in the event that they agreed to pay, however usually didn’t.
When legal gangs tried to revive LockBit in December 2024, its status had been irretrievably broken.
Earlier than Operation Chronos, between Could 2022 and February 2022, 80 associates of LockBit 3.0 obtained ransomware funds.
LockBit 4.0, an try to resurrect the ransomware operation after the police take-down, solely obtained eight ransomware funds between December 2024 and April 2025, in response to Smeets’ analysis.
“LockBit is so tarnished that even when it could actually put up its infrastructure once more, it’s a shadow of its former self,” he stated.
Operation Chronos may kind a blueprint for future ransomware takedowns by destroying not simply the infrastructure but in addition the reputations of ransomware gangs.
Smeets hopes to conduct additional analysis into the connection between paying ransoms and destructive press protection to check his preliminary findings.
