惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
L
Lohrmann on Cybersecurity
aimingoo的专栏
aimingoo的专栏
V
V2EX
S
Security Affairs
T
Threatpost
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
J
Java Code Geeks
The Register - Security
The Register - Security
U
Unit 42
C
CERT Recently Published Vulnerability Notes
月光博客
月光博客
A
About on SuperTechFans
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
The Blog of Author Tim Ferriss
Cisco Talos Blog
Cisco Talos Blog
Project Zero
Project Zero
S
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
DataBreaches.Net
博客园 - 司徒正美
V
Vulnerabilities – Threatpost
T
Tor Project blog
Security Latest
Security Latest
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
小众软件
小众软件
L
LangChain Blog
Attack and Defense Labs
Attack and Defense Labs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
P
Palo Alto Networks Blog
A
Arctic Wolf
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 叶小钗
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
LINUX DO - 最新话题
MongoDB | Blog
MongoDB | Blog
Webroot Blog
Webroot Blog
H
Hacker News: Front Page
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
Engineering at Meta
Engineering at Meta

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Black Hat Europe 2025: Reputation is currency – even in the ransomware economy
Tony Anscombe · 2025-12-11 · via WeLiveSecurity

Business Security

Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victims

11 Dec 2025  •  , 4 min. read

Black Hat Europe 2025: Reputation matters – even in the ransomware economy

Black Hat Europe 2025 opened with a presentation by Max Smeets of Virtual Rotes titled ‘Inside the Ransomware Machine’. The talk focused on the LockBit ransomware-as-a-service (RaaS) gang and Max’s research into their practices and operations. At their height, between 2022-2024, the group had 194 affiliates, of which 110 had managed to get a cyberattack to the point of negotiation, with 80 of the affiliates succeeding in getting paid by the ransomware group. (As a reminder, the business model of ransomware is layered: ‘affiliate’ refers to the team that researches the victim’s networks and identifies and exfiltrates the sensitive data to a ransomware gang, such as LockBit.)

Reputation is everything

A key message delivered by Max was regarding reputation, both of the victim and the ransomware group. The victim company needs to uphold their reputation with their customers and any hint of a data breach can significantly damage it. Interestingly, the research showed that media coverage is greater for the companies that pay as opposed to those that don’t pay the extortion demand and face longer disruption. The presenter’s view is that the news story becomes about the payment and potentially gives the indication the victim company has lost control and needed to pay, generating distrust and damage to their brand.

As someone who has been close to the subject for several years, I disagree with this view, at least in some cases. From a purely financial perspective, paying the demand may actually be the more cost-effective solution, and there are many examples where the final costs of a cyber-incident for those that don’t pay are several times higher than those that do pay – just think back to the attacks on Caesers Palace and MGM. Companies have a responsibility to shareholders and in some cases the simplest and fastest method to recover the business and become fully operational may be to pay the ransomware extortion demand.

Meanwhile, recovery of systems can be complex, new hardware needs to be acquired, and backups need to be restored and analyzed to ensure they are clean. The ransomware decryption key unlocking the business in hours rather than days can minimize business disruption and loss of revenue. Then also factor in the influence of an insurance underwriter, who too will want to minimize their costs and take the path that minimizes any claim that may be made by the victim company.

Of course, both immediate and long-term downsides are just as obvious. The payment may buy time and cut the bill – until it doesn't. For starters, there's no guarantee that the decryption key will actually unlock the data. In addition, the victims that agree to ransom demands may be seen by attackers as worth targeting again and, ultimately, they may also inadvertently validate and reinforce ransomware as a viable ‘business model’.

The ransomware operators are also concerned about reputation – they need to be seen as trustworthy and to be known for upholding their end of any deal. When huge amounts of sensitive data is exfiltrated and held to ransom, as well as internal systems encrypted and bought to a standstill, any negotiation to unlock systems and ensure the security of the data needs to be from a trust standpoint.

If the negotiator has heard negative reviews on the ransomware group not providing decryptors or holding onto data, they may advise the victim not to pay. It’s important that when handing over the extortion payment the ransomware group delivers exactly as expected, providing the service they are being paid for in a professional manner. The real challenge for any ransomware group is not that of network access or the exfiltration of data but rather whether the victim trusts them enough to pay the extortion demand.

Interestingly, the operations by law enforcement to take down LockBit in 2024 also included a campaign to destroy trust in the gang, publicly stating that the gang goes not delete exfiltrated data but hold on to it. This distrust campaign could be enough for affiliates to take their opportunities and business to another group.

What sets the price

My takeaway from the presentation was not something the presenter stated outright – it’s about the data and reconnaissance the affiliate conducts about the company. There was a brief mention of the research and moving around a company network looking for sensitive data, including financial data that may indicate willingness to pay or an amount that would be acceptable.

This caused a lightbulb moment: the most valuable document to a cybercriminal could be the schedule detailing the company’s cyber insurance coverage. Understanding whether the company has insurance that includes paying an extortion demand and what the level of coverage is provides the cybercriminal the information on where to set the extortion demand, so that the risk becomes a financial issue not for the company, but for the insurer.

The takeaway is that the cyber insurance policy and all communication regarding the policy should be segmented with additional security, or completely air-gapped from the company network.


Let us keep you
up to date

Sign up for our newsletters