Companies that demand ransom from cybercriminals in hopes of restoring their IT systems may risk more negative publicity than those that refuse.
Initial analysis of data obtained by the National Crime Agency (NCA) in LockBit removal The ransomware group suggests that the best way to avoid bad publicity is to refuse to pay.
Max Smitsauthor of the book War for ransom gained controlled access to data on LockBit 3.0 confiscated by the NCA during Operation Chronoswho stopped the LockBit ransomware operation and studied the leaked LockBit 4.0 data.
Smits compared press reports of 100 companies that paid ransomware with reports of 100 companies that refused to pay.
“It turns out you're more likely to get a story written about you if you paid than if you didn't,” he told Computer Weekly.
Smits' findings contradict claims by ransomware gangs that companies that pay money can avoid bad publicity. He calls it the Streisand effect, whereby by paying a ransom to avoid publicity, companies end up attracting the very publicity they are trying to avoid.
They're more likely to write a story about you if you've paid. [a ransom] than if you didn't pay
Max Smits, ransomware expert
Law enforcement has long argued that companies should not pay ransoms because it supports the ransomware ecosystem and there is no guarantee they will get their data back.
“The data also shows that you shouldn't pay if you're afraid of public exposure either,” Smits told Computer Weekly on Black hat security conference in London.
The art of a bad deal
Smits' analysis also revealed how poorly prepared many organizations were to negotiate ransomware payments with LockBit's criminal affiliates.
Some companies told criminal groups in advance that they were desperate to get their data back because they had no backups, which instantly stymied them in negotiations.
Others have tried unsuccessfully to win over the hackers by arguing that they could not afford to pay the ransom or that they were serving the local community.
Smits also discovered that some victims were sending extortion gangs copies of their insurance documents to show how much they could afford to pay.
Ransomware victims who pay money are more likely to make headlines than those who refuse
Its findings suggest that companies need to be better prepared to negotiate ransomware if the worst happens.
“There is a big opportunity, especially for SMEs, to better understand how to engage with these criminals without making extreme and obvious mistakes,” he said.
LockBit's criminal affiliates follow a standard ransom negotiation pattern, which typically includes demanding an initial ransom, offering free decryption of two files, and threatening to leak data if the organizations do not pay.
Smits found that criminal gangs have so many victims that they don't spend time sifting through the data they collect to look for incriminating material that could add value to the ransom demand – they're more interested in the next victim.
If companies don't pay within a few weeks, affiliates may be inclined to assume that their victim's lack of desperation may mean their ransomware attack didn't cause much damage. They may be willing to accept smaller payments in exchange for an agreement not to publish hacked data.
The paradox of trust
Ransomware groups like LockBit deceive and steal, but they somehow have to convince victims that they are trustworthy enough to recover their data in exchange for paying the ransomware, so reputation matters.
Operation Chronos not only destroyed LockBit's infrastructure, but also destroyed its reputation, Smits' research shows.
In February 2024, an international police operation seized LockBit's servers, its administrative center, public website, and internal communications.
“The NCA not only targeted their technical infrastructure, but also tarnished their reputation by exposing lies,” he said.
For example, the group said it would ban branches that attacked a children's hospital in Toronto, no, Smits said. LockBit also promised to delete victims' data from its servers if they agreed to pay, but often failed to do so.
When criminal gangs attempted to revive LockBit in December 2024, its reputation was irrevocably damaged.
Prior to Operation Chronos, between May 2022 and February 2022, 80 LockBit 3.0 affiliates received ransomware payments.
LockBit 4.0, an attempt to restart an extortion operation after being busted by police, received only eight extortion payments between December 2024 and April 2025, according to Smits' research.
“LockBit is so tainted that even if it can rebuild its infrastructure, it will be a shadow of its former self,” he said.
Operation Chronos could set the stage for future ransomware takedown operations, destroying not only the infrastructure but also the reputation of ransomware gangs.
Smits hopes to conduct further research into the relationship between ransom payments and negative press coverage to test his initial findings.
