Black Hat Europe 2025: Reputation is currency – even in the ransomware economy

Black Hat Europe 2025 opened with a presentation by Max Smeets of Virtual Rotes titled ‘Inside the Ransomware Machine’. The talk focused on the LockBit ransomware-as-a-service (RaaS) gang and Max’s research into their practices and operations. At their height, between 2022-2024, the group had 194 affiliates, of which 110 had managed to get a cyberattack to the point of negotiation, with 80 of the affiliates succeeding in getting paid by the ransomware group. (As a reminder, the business model of ransomware is layered: ‘affiliate’ refers to the team that researches the victim’s networks and identifies and exfiltrates the sensitive data to a ransomware gang, such as LockBit.)

Reputation is everything

A key message delivered by Max was regarding reputation, both of the victim and the ransomware group. The victim company needs to uphold their reputation with their customers and any hint of a data breach can significantly damage it. Interestingly, the research showed that media coverage is greater for the companies that pay as opposed to those that don’t pay the extortion demand and face longer disruption. The presenter’s view is that the news story becomes about the payment and potentially gives the indication the victim company has lost control and needed to pay, generating distrust and damage to their brand.

As someone who has been close to the subject for several years, I disagree with this view, at least in some cases. From a purely financial perspective, paying the demand may actually be the more cost-effective solution, and there are many examples where the final costs of a cyber-incident for those that don’t pay are several times higher than those that do pay – just think back to the attacks on Caesers Palace and MGM. Companies have a responsibility to shareholders and in some cases the simplest and fastest method to recover the business and become fully operational may be to pay the ransomware extortion demand.

Meanwhile, recovery of systems can be complex, new hardware needs to be acquired, and backups need to be restored and analyzed to ensure they are clean. The ransomware decryption key unlocking the business in hours rather than days can minimize business disruption and loss of revenue. Then also factor in the influence of an insurance underwriter, who too will want to minimize their costs and take the path that minimizes any claim that may be made by the victim company.

Of course, both immediate and long-term downsides are just as obvious. The payment may buy time and cut the bill – until it doesn't. For starters, there's no guarantee that the decryption key will actually unlock the data. In addition, the victims that agree to ransom demands may be seen by attackers as worth targeting again and, ultimately, they may also inadvertently validate and reinforce ransomware as a viable ‘business model’.

The ransomware operators are also concerned about reputation – they need to be seen as trustworthy and to be known for upholding their end of any deal. When huge amounts of sensitive data is exfiltrated and held to ransom, as well as internal systems encrypted and bought to a standstill, any negotiation to unlock systems and ensure the security of the data needs to be from a trust standpoint.

If the negotiator has heard negative reviews on the ransomware group not providing decryptors or holding onto data, they may advise the victim not to pay. It’s important that when handing over the extortion payment the ransomware group delivers exactly as expected, providing the service they are being paid for in a professional manner. The real challenge for any ransomware group is not that of network access or the exfiltration of data but rather whether the victim trusts them enough to pay the extortion demand.

Interestingly, the operations by law enforcement to take down LockBit in 2024 also included a campaign to destroy trust in the gang, publicly stating that the gang goes not delete exfiltrated data but hold on to it. This distrust campaign could be enough for affiliates to take their opportunities and business to another group.

What sets the price

My takeaway from the presentation was not something the presenter stated outright – it’s about the data and reconnaissance the affiliate conducts about the company. There was a brief mention of the research and moving around a company network looking for sensitive data, including financial data that may indicate willingness to pay or an amount that would be acceptable.

This caused a lightbulb moment: the most valuable document to a cybercriminal could be the schedule detailing the company’s cyber insurance coverage. Understanding whether the company has insurance that includes paying an extortion demand and what the level of coverage is provides the cybercriminal the information on where to set the extortion demand, so that the risk becomes a financial issue not for the company, but for the insurer.

The takeaway is that the cyber insurance policy and all communication regarding the policy should be segmented with additional security, or completely air-gapped from the company network.