Ransom-ISAC: Streisand effect: Businesses that pay ransomware gangs are more likely to hit the headlines

LockBit Data Reveals Paying Ransoms Increases Public Exposure for Victims

An analysis of seized LockBit ransomware data suggests that companies paying ransoms face greater negative publicity than those that refuse. Max Smeets, author of Ransom War, examined data from LockBit 3.0—obtained by the UK’s National Crime Agency (NCA) during Operation Chronos—alongside leaked LockBit 4.0 records. His findings challenge ransomware gangs’ claims that payment prevents exposure.

Smeets compared media coverage of 100 companies that paid ransoms with 100 that refused, revealing that paying victims were more likely to be reported on. The phenomenon mirrors the Streisand effect, where efforts to suppress publicity backfire. Speaking at the Black Hat security conference in London, Smeets noted that law enforcement’s long-standing advice against payment—due to funding criminal operations and no guarantee of data recovery—now extends to reputational risks.

The data also exposed poor negotiation tactics by victims. Some disclosed desperation, admitting to lacking backups, while others shared insurance documents or pleaded financial hardship—moves that weakened their position. LockBit affiliates follow a predictable playbook: demanding ransoms, offering token decryption tests, and threatening data leaks. However, Smeets found they rarely analyze stolen data for leverage, prioritizing volume over tailored extortion. If victims delay payment, affiliates may settle for smaller sums to avoid prolonged negotiations.

The takedown of LockBit’s infrastructure in February 2024 provided a rare glimpse into ransomware operations, underscoring the need for better preparedness in handling extortion demands.

Source: https://www.computerweekly.com/news/366636266/Streisand-effect-Businesses-that-pay-ransomware-gangs-more-likely-to-hit-the-headlines

Ransom-ISAC cybersecurity rating report: https://www.rankiteo.com/company/ransom-isac

"id": "RAN1765563176",
"linkid": "ransom-isac",
"type": "Ransomware",
"date": "2/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'size': ['Small', 'Medium', 'Large'],
                        'type': 'Multiple organizations (100 paid, 100 '
                                'refused)'}],
 'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
                 'data_exfiltration': 'Threatened by LockBit affiliates if '
                                      'ransom not paid'},
 'description': 'Analysis of data seized from the LockBit ransomware group '
                'suggests that companies paying ransoms may face greater '
                'negative publicity than those that refuse. The study compared '
                'press reporting on 100 companies that paid ransoms with 100 '
                'that refused, finding that paying companies were more likely '
                'to be publicly reported on.',
 'impact': {'brand_reputation_impact': 'Increased negative publicity for '
                                       'companies that paid ransoms'},
 'investigation_status': 'Analysis of seized data ongoing',
 'lessons_learned': 'Companies should avoid paying ransoms to prevent negative '
                    'publicity and should be better prepared for ransomware '
                    'negotiations. Avoid revealing desperation, lack of '
                    'backups, or insurance details to attackers.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': 'Improve ransomware '
                                                  'negotiation training, avoid '
                                                  'disclosing sensitive '
                                                  'information to attackers, '
                                                  'and follow law enforcement '
                                                  'guidance on ransom '
                                                  'payments.',
                            'root_causes': 'Lack of preparedness for '
                                           'ransomware negotiations, poor '
                                           'communication strategies with '
                                           'attackers, and misconceptions '
                                           'about avoiding publicity by paying '
                                           'ransoms.'},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Threatened if ransom not paid',
                'ransom_demanded': 'Varies (initial demand, then negotiable)',
                'ransom_paid': 'Varies (100 companies paid)',
                'ransomware_strain': 'LockBit 3.0, LockBit 4.0'},
 'recommendations': ['Refuse to pay ransoms to avoid negative publicity',
                     'Improve negotiation preparedness for ransomware '
                     'incidents',
                     'Avoid disclosing sensitive information (e.g., backups, '
                     'insurance) to attackers',
                     'Follow law enforcement advice to not pay ransoms'],
 'references': [{'source': 'Computer Weekly'},
                {'source': 'National Crime Agency (NCA) Operation Chronos'},
                {'source': 'Black Hat security conference'}],
 'stakeholder_advisories': 'Law enforcement advises against paying ransoms as '
                           'it supports the ransomware ecosystem and does not '
                           'guarantee data recovery.',
 'threat_actor': 'LockBit ransomware group',
 'title': 'LockBit Ransomware Publicity Analysis',
 'type': 'Ransomware'}