Streisand effect: Businesses that pay ransomware gangs are more likely to hit the headlines
Companies Facing Ransomware: To Pay or Not to Pay?
When it comes to dealing with ransom demands from cyber criminals, a new study suggests that paying up may lead to more negative publicity than refusing to comply. The analysis of data obtained from the takedown of the LockBit ransomware group by the National Crime Agency (NCA) points towards a potential reputation risk for companies that opt to pay the ransom.
Max Smeets, the author of the book Ransom War, had the opportunity to examine data seized from LockBit 3.0 during Operation Chronos and leaked data from LockBit 4.0. He compared how the media covered companies that paid the ransom versus those that stood their ground and refused to pay.
You are more likely to have a story written about you if you have paid [a ransom] than if you have not paid
Max Smeets, ransomware expert
Contrary to the claims of ransomware gangs that paying the ransom can help avoid negative publicity, Smeets suggests that it may have the opposite effect. He refers to this phenomenon as the Streisand effect, where paying the ransom to keep things quiet inadvertently attracts more attention towards the situation.
Law enforcement agencies have long advised against paying ransom fees as it fuels the ransomware ecosystem and offers no guarantee of data retrieval. Smeets emphasizes that companies should also consider the potential impact on their public image before deciding to pay the ransom.
Navigating Ransomware Negotiations
Smeets’ analysis sheds light on the unpreparedness of many organizations when dealing with ransomware negotiations with criminal groups like LockBit. Some companies, out of desperation, revealed their lack of backups upfront, putting themselves at a disadvantage during negotiations.
Others attempted to gain sympathy from hackers by claiming financial constraints or community service, which proved ineffective. The study also uncovered instances where victims shared insurance documents with ransomware gangs, revealing their financial capacity to pay.
Ransomware victims that pay up are more likely to hit the headlines than those that refuse
According to Smeets, organizations need to be better prepared for such negotiations to avoid making critical mistakes. Developing a strategic approach, especially for small and medium-sized enterprises, is crucial in handling ransomware incidents effectively.
LockBit’s criminal affiliates follow a predictable pattern during ransom negotiations, involving initial demands, decryption offers, and data leakage threats if payments are not made. The study reveals that these groups prioritize finding new victims over analyzing captured data for leverage in ransom demands.
If companies delay payments, the affiliates may consider reduced settlements to prevent data exposure, indicating a potential window for negotiation.
The Importance of Trust in Ransomware Negotiations
Ransomware groups like LockBit rely on establishing trust with victims to facilitate data recovery in exchange for ransom payments. However, maintaining a trustworthy image is crucial for their operations.
Operation Chronos not only dismantled LockBit’s technical infrastructure but also tarnished its credibility, as revealed by Smeets’ research. The international crackdown on LockBit in February 2024 significantly impacted its ability to regain trust from victims.
Instances where LockBit failed to honor commitments, such as data deletion promises and ethical standards, further damaged its reputation. Despite attempts to revive operations in December 2024, LockBit’s reputation remained irreversibly tainted.
Before Operation Chronos, LockBit affiliates received numerous ransom payments. However, the revival of LockBit 4.0 post-takedown only managed a fraction of the previous payments, signaling a significant decline in trust and reputation.
Operation Chronos serves as a model for future ransomware takedowns by not only disrupting technical infrastructure but also dismantling the reputation of criminal groups. Smeets aims to delve deeper into the correlation between ransom payments and negative media coverage for further insights.
