Ransomware Negotiation: Hard Lessons from Real Cases

I want to be clear upfront: paying ransom should be your last resort, and in some jurisdictions paying certain groups is illegal. But I have been involved in enough ransomware incidents to know that sometimes organizations face an impossible choice between paying and going out of business. When that happens, you need to know what you are getting into.

Before engaging with the threat actor, answer these questions honestly. Do you have viable backups? If yes, how long will restoration take, and can the business survive that downtime? Is the threat actor on a sanctions list (OFAC in the US)? Paying a sanctioned entity carries severe legal consequences regardless of business impact. Has the attacker exfiltrated data, and are they threatening to publish it? Data extortion changes the calculus because paying for decryption does not guarantee they will delete stolen data.

Engage your cyber insurance carrier immediately. Most policies have pre-approved negotiation firms and legal counsel. Using your insurer's preferred vendors protects coverage and brings experienced negotiators into the process.

Professional ransomware groups operate like businesses. They have customer service portals, SLAs, and pricing models. Initial demands are typically inflated by 3-10x. Negotiation is expected. The negotiation timeline usually runs 3-7 days, during which you should be pursuing recovery in parallel.

Never reveal your cyber insurance coverage amount. Threat actors monitor public filings and will adjust their demands based on what they believe you can pay. Keep communication professional and avoid revealing details about your financial situation, backup status, or recovery progress.

If you pay and receive a decryption key, test it on a small sample before decrypting your entire environment. Decryptors from threat actors are often buggy and can corrupt data if used incorrectly. Some groups provide technical support for their decryptors. Others do not.

Payment does not end the incident. The attacker was in your network long enough to deploy ransomware — assume they exfiltrated data, established backdoor access, and mapped your entire environment. Full remediation requires the same comprehensive eradication and recovery process regardless of whether you paid.

The best ransomware strategy is prevention. The second best is preparation — tested backups, practiced playbooks, and pre-arranged relationships with IR firms and legal counsel. By the time you are negotiating with a threat actor, you have already lost. The question is how much.