Companies that pay ransom demands to cyber criminals in the hope of restoring their IT systems may be at risk of greater negative publicity than those that refuse.
An initial analysis of data seized by the National Crime Agency (NCA) in the takedown of the LockBit ransomware group suggests that the best way to avoid bad publicity may be to refuse to pay up.
Max Smeets, author of the book Ransom War, was given supervised access to data on LockBit 3.0 seized by the NCA during Operation Chronos, which took down the LockBit ransomware operation, and examined leaked data from LockBit 4.0.
Smeets compared press reporting of 100 companies that paid ransomware with reporting on 100 companies that refused to pay.
“It turns out that you are more likely to have a story written about you if you have paid than if you have not paid,” he said in an interview with Computer Weekly.
Smeets’ conclusions fly in the face of claims by criminal ransomware gangs that companies that pay up can avoid bad publicity. He calls it the Streisand effect, whereby in paying a ransom to avoid publicity, companies end up attracting the very publicity they are trying to avoid.
You are more likely to have a story written about you if you have paid [a ransom] than if you have not paid Max Smeets, ransomware expert
Law enforcement has long argued that companies should not pay ransom fees because it supports the ransomware ecosystem and there is no guarantee that they will get their data back.
“What the data also suggests is that you also shouldn’t pay if you are afraid of public exposure,” said Smeets, speaking to Computer Weekly at the Black Hat security conference in London.
The art of the bad deal
Smeets’ analysis also revealed just how ill-prepared many organisations were when negotiating ransomware payments with LockBit’s criminal affiliates.
Some companies told crime gangs upfront that they were desperate to get their data back as they had no backups, putting them instantly on the back foot in negotiations.
Others tried unsuccessfully to win sympathy with the hackers by claiming that they couldn’t afford to pay the ransom, or that they served the local community.
Smeets also found that some victims had sent ransomware gangs copies of their insurance documents to show how much they could afford to pay.
Ransomware victims that pay up are more likely to hit the headlines than those that refuse
His findings show that companies need to be better prepared for ransomware negotiations if the worst happens.
“There is a major opportunity, especially for small and medium-sized enterprises, to become better in understanding how to engage with these criminals without making extreme and obvious mistakes,” he said.
LockBit’s criminal affiliates follow a standard playbook for negotiating ransom payments, which typically involves demanding an initial ransom, offering to decrypt two files for free, and threatening to leak data if organisations don’t pay up.
Smeets found that the criminal groups have so many victims that they don’t spend time analysing the data they capture to look for compromising material that could push up the value of a ransom demand – they are more interested in the next victim.
If companies don’t pay up within a few weeks, affiliates may be inclined to assume that their victim’s lack of desperation may mean their ransomware attack did not cause much damage. They may be willing to accept smaller payments in return for an agreement not to publish the hacked data.
The trust paradox
Ransomware groups like LockBit deceive and steal, but somehow have to convince victims that they are trustworthy enough to restore their data in return for a ransomware payment, so reputation matters.
Operation Chronos not only destroyed the infrastructure of LockBit, but also destroyed its reputation, Smeets’ research shows.
In February 2024, the international police operation seized LockBit’s servers, its administrative hub, its public-facing website and its internal communications.
“The NCA not only went after their technical infrastructure, but also tarnished their reputation by disclosing their lies,” he said.
For example, the group said it would ban the affiliates that hit a children’s hospital in Toronto – it didn’t, said Smeets. LockBit also promised to delete victims’ data from its servers if they agreed to pay, but often didn’t.
When criminal gangs attempted to revive LockBit in December 2024, its reputation had been irretrievably damaged.
Before Operation Chronos, between May 2022 and February 2022, 80 affiliates of LockBit 3.0 received ransomware payments.
LockBit 4.0, an attempt to resurrect the ransomware operation after the police take-down, only received eight ransomware payments between December 2024 and April 2025, according to Smeets’ research.
“LockBit is so tarnished that even if it can put up its infrastructure again, it’s a shadow of its former self,” he said.
Operation Chronos could form a blueprint for future ransomware takedowns by destroying not just the infrastructure but also the reputations of ransomware gangs.
Smeets hopes to conduct further research into the relationship between paying ransoms and negative press coverage to test his initial findings.
Financial services firms, content providers, neocloud companies and hyperscalers are all claimed to be among the primary beneficiaries of a digital infrastructure from Colt Technology Services linking the US West Coast to Asia.
The announcement marks the latest phase of the global digital infrastructure company’s global network expansion, and the investment it made in the infrastructure is said to support customers’ international growth strategies and include a transpacific subsea cable route linking the US and Japan.
Colt says the expansion elevates it from its position as the largest European B2B fibre provider to one of the largest in the world, reinforcing its role as a key player in the global digital infrastructure market.
The enhanced infrastructure is seen by Colt as strengthening its network resilience for organisations – by delivering secure, high‑performance backup and routing options for mission‑critical applications. Congested networks mean lags, delays and service interruptions – expensive setbacks which stall progress.
Colt’s network investment is designed to directly addresses surging demand driven by AI traffic. The infrastructure is attributed with giving customers greater choice of offerings, performance and cost, especially for busy transpacific routes already under pressure from rising traffic volumes.
As part of the investment, Colt will deliver a transpacific backbone route through Juno – one of the world’s newest and most advanced subsea cable systems – connecting Tokyo, Japan to Los Angeles on the West Coast of the US.
Having come into service in May 2025 and operated by Seren Juno Network Co, the Juno cable is around 11,700km (7,270 miles) long and engineered to deliver up to 350Tbps across 20 fibre pairs, using next-generation Space Division Multiplexing technology. In Japan, it lands at Minamiboso (Chiba Prefecture) and Shima (Mie Prefecture), connecting with Grover Beach, California. It extends to terrestrial points of presence in Tokyo, Osaka, Los Angeles and San Jose.
The Colt network is intended to offer customers a diverse route, connecting Colt’s existing terrestrial networks in Japan and the US, providing greater resilience and higher bandwidth options to provide greater resilience on transpacific services.
This is said to make the services ideal for businesses with global operations across Asia and the US. Another benefit is said to be an expansion in the global digital footprint, extending its “on-net” capabilities. Colt can connect directly into multiple sites across Tokyo, with on‑net coverage throughout the city’s key metro datacentres.
Commenting on the expansion, Buddy Bayer, chief operating officer of Colt Technology Services, said: “The world’s economies run on digital infrastructure, but there will come a point when existing capacity across some routes isn’t enough. This risks disrupting or even reversing the progress countries have made in connecting markets, organisations and societies. At Colt, we have a deep commitment to solving problems for our customers so they can grow and scale. This investment in our digital infrastructure connecting the US West Coast to Tokyo, Japan not only solves the capacity problem for our customers – it’s also a gateway to global growth.”
News of the new subsea infrastructure comes shortly after Colt announced an expansion and investment into new routes connecting the East Coast of the US to Europe. Specifically, the low-latency routes along the US East Coast and between the US East Coast and Europe are designed to “supercharge” capacity for customers as AI traffic surges across what is said to be the world’s busiest data pathway.
Anthropic won a preliminary injunction barring the US Department of Defense from labeling it a supply-chain risk, potentially clearing the way for customers to resume working with the company. The ruling on Thursday by Rita Lin, a federal district judge in San Francisco, is a symbolic setback for the Pentagon and a significant boost for the generative AI company as it tries to preserve its business and reputation.
“Defendants’ designation of Anthropic as a ‘supply chain risk’ is likely both contrary to law and arbitrary and capricious,” Lin wrote in justifying the temporary relief. “The Department of War provides no legitimate basis to infer from Anthropic’s forthright insistence on usage restrictions that it might become a saboteur.”
Anthropic and the Pentagon did not immediately respond to requests to comment on the ruling.
The Department of Defense, which under Trump calls itself the Department of War, has relied on Anthropic’s Claude AI tools for writing sensitive documents and analyzing classified data over the past couple of years. But this month, it began pulling the plug on Claude after determining that Anthropic could not be trusted. Pentagon officials cited numerous instances in which Anthropic allegedly placed or sought to put usage restrictions on its technology that the Trump administration found unnecessary.
The administration ultimately issued several directives, including designating the company a supply-chain risk, which have had the effect of slowly halting Claude usage across the federal government and hurting Anthropic’s sales and public reputation. The company filed two lawsuits challenging the sanctions as unconstitutional. In a hearing on Tuesday, Lin said the government had appeared to illegally “cripple” and “punish” Anthropic.
Lin’s ruling on Thursday “restores the status quo” to February 27, before the directives were issued. “It does not bar any defendant from taking any lawful action that would have been available to it” on that date, she wrote. “For example, this order does not require the Department of War to use Anthropic’s products or services and does not prevent the Department of War from transitioning to other artificial intelligence providers, so long as those actions are consistent with applicable regulations, statutes, and constitutional provisions.”
The ruling suggests the Pentagon and other federal agencies are still free to cancel deals with Anthropic and ask contractors that integrate Claude into their own tools to stop doing so, but without citing the supply-chain-risk designation as the basis.
The immediate impact is unclear because Lin’s order won’t take effect for a week. And a federal appeals court in Washington, DC, has yet to rule on the second lawsuit Anthropic filed, which focuses on a different law under which the company was also barred from providing software to the military.
But Anthropic could use Lin’s ruling to demonstrate to some customers concerned about working with an industry pariah that the law may be on its side in the long run. Lin has not set a schedule to make a final ruling.
President Donald Trump and top defense officials are reportedly weighing whether to send ground troops to Iran in order to retrieve the country’s highly enriched uranium. However, the administration has shared little information about which troops would be deployed, how they would retrieve the nuclear material, or where the material would go next.
“People are going to have to go and get it,” secretary of state Marco Rubio said at a congressional briefing earlier this month, referring to the possible operation.
There are some indications that an operation is close on the horizon. On Tuesday, The Wall Street Journal reported that the Pentagon has imminent plans to deploy 3,000 brigade combat troops to the Middle East. (At the time of writing, the order has not been made.) The troops would come from the Army’s 82nd Airborne Division, which specializes in “joint forcible entry operations.” On Wednesday, Iran’s government rejected Trump’s 15-point plan to end the war, and White House press secretary Karoline Leavitt said that the president “is prepared to unleash hell” in Iran if a peace deal is not reached—a plan some lawmakers have reportedly expressed concern about.
Drawing from publicly available intelligence and their own experience, two experts outlined the likely contours of a ground operation targeting nuclear sites. They tell WIRED that any version of a ground operation would be incredibly complicated and pose a huge risk to the lives of American troops.
“I personally think a ground operation using special forces supported by a larger force is extremely, extremely risky and ultimately infeasible,” Spencer Faragasso, a senior research fellow at the Institute for Science and International Security, tells WIRED.
Nuclear Ambitions
Any version of the operation would likely take several weeks and involve simultaneous actions at multiple target locations that aren’t in close proximity to each other, the experts say. Jonathan Hackett, a former operations specialist for the Marines and the Defense Intelligence Agency, tells WIRED that as many as 10 locations could be targeted: the Isfahan, Arak, and Darkhovin research reactors; the Natanz, Fordow, and Parchin enrichment facilities; the Saghand, Chine, and Yazd mines; and the Bushehr power plant.
According to the International Atomic Energy Agency, Isfahan likely has the majority of the country’s 60 percent highly enriched uranium, which may be able to support a self-sustaining nuclear chain reaction, though weapon-grade material generally consists of 90 percent enriched uranium. Hackett says that the other two enrichment facilities may also have 60 percent highly enriched uranium, and that the power plant and all three research reactors may have 20 percent enriched uranium. Faragasso emphasizes that any such supplies deserve careful attention.
Hackett says that eight of the 10 sites—with the exception of Isfahan, which is likely intact underground, and “Pickaxe Mountain,” a relatively new enrichment facility near Natanz—were mostly or partially buried after last June’s air raids. Just before the war, Faragasso says, Iran backfilled the tunnel entrances to the Isfahan facility with dirt.
The riskiest version of a ground operation would involve American troops physically retrieving nuclear material. Hackett says that this material would be stored in the form of uranium hexafluoride gas inside “large cement vats.” Faragasso adds that it’s unclear how many of these vats may have been broken or damaged. At damaged sites, troops would have to bring excavators and heavy equipment capable of moving immense amounts of dirt to retrieve them
A comparatively less risky version of the operation would still necessitate ground troops, according to Hackett. However, it would primarily use air strikes to entomb nuclear material inside of their facilities. Ensuring that nuclear material is inaccessible in the short to medium term, Faragasso says, would entail destroying the entrances to underground facilities and ideally collapsing the facilities’ underground roofs.
Softening the Area
Hackett tells WIRED that based on his experience and all publicly available information, Trump’s negotiations with Iran are “probably a ruse” that buys time to move troops into place.
Hackett says that an operation would most likely begin with aerial bombardments in the areas surrounding the target sites. These bombers, he says, would likely be from the 82nd Airborne Division or the 11th or 31st Marine Expeditionary Units (MEU). The 11th MEU, a “rapid-response” force, and the 31st MEU, the only Marine unit continuously deployed abroad in strategic areas, have reportedly both been deployed to the Middle East.
Entertainment1 week ago
Fashion1 week ago
Sports1 week ago
Fashion6 days ago
Sports7 days ago