Companies that surrender to ransomware demands in the hope of quietly restoring their systems are unknowingly triggering a "Streisand effect," making them significantly more likely to attract negative press than those who refuse to pay.
The Illusion of Silence
New research spearheaded by ransomware expert Max Smeets, author of Ransom War, challenges the pervasive industry myth that paying a ransom buys silence. Analyzing data seized by the National Crime Agency (NCA) during the LockBit takedown (Operation Chronos), Smeets compared media coverage of 100 companies that paid against 100 that did not.
"It turns out that you are more likely to have a story written about you if you have paid than if you have not paid."
This counter-intuitive finding suggests that the very act of paying to avoid publicity amplifies it. Smeets likens this to the Streisand effect: the phenomenon where an attempt to hide, remove, or censor information has the unintended consequence of publicizing the information more widely.
The Broken Trust of Criminals
The research also sheds light on the complete erosion of "honor among thieves." Ransomware groups like LockBit rely on a façade of trustworthiness to convince victims to pay. They promise to decrypt files and delete stolen data. However, the internal data from Operation Chronos reveals a different reality:
- False Promises: LockBit frequently failed to honor promises, such as banning affiliates who attacked prohibited targets like children's hospitals.
- Data Retention: Even after payment, there was no guarantee that stolen data was actually deleted from the criminals' servers.
- Reputational Collapse: Following the law enforcement takedown and the exposure of their lies, LockBit's ability to command payments plummeted.
The Art of the Bad Deal
Smeets' analysis also highlighted how ill-prepared many victims are during negotiations. Some companies admitted upfront to having no backups, signaling desperation. Others sent insurance documents, inadvertently revealing exactly how much they could afford to pay.
The takeaway for businesses is stark but clear: Paying a ransom does not guarantee data recovery, nor does it prevent public exposure. In fact, it supports the criminal ecosystem and may invite the very headlines you are trying to avoid.
What Should Businesses Do?
Instead of relying on the dubious word of cybercriminals, organizations must focus on resilience:
- robust Backups: Maintain offline, immutable backups to ensure recovery without payment.
- Don't Negotiate from Sweats: If attacked, never reveal your desperation or financial limits to the attackers.
- Refuse to Pay: The data suggests that refusing to pay is the most effective strategy to minimize long-term reputational damage.