Most organisations approach ransomware negotiation in a state of panic. They've just discovered their systems are encrypted, their data may be stolen, and a faceless threat actor is demanding millions. The instinct is to either pay immediately or refuse entirely.
Both reactions are usually wrong.
Over the past several years, our team has negotiated with virtually every major ransomware group operating today — LockBit, BlackCat/ALPHV, Clop, Royal, Play, Akira, and dozens of others. This article distils what actually works at the negotiation table.
Before You Make Contact
The negotiation starts before the first message. What you do in the first 24 hours determines your leverage for the entire engagement.
Intelligence Gathering
Before contacting the threat actor, you need answers to five critical questions:
- Who are you dealing with? Different groups have different reputations, tactics, and reliability. Some decrypt reliably after payment. Others don't. Know which you're facing.
- What's your actual exposure? Is data encrypted, stolen, or both? The answer changes everything about your negotiation position.
- Do you have viable recovery options? Clean backups, free decryptors, or partial recovery change your BATNA (Best Alternative To Negotiated Agreement) dramatically.
- What are the sanctions implications? Some groups and jurisdictions are sanctioned. Paying a sanctioned entity carries severe legal risk. Read our sanctions guide.
- What's your business impact per hour? This is your internal clock. It determines how much time pressure you're actually under vs. how much is manufactured by the attacker.
Sanctions Screening
This is non-negotiable. Before any payment discussion, screen the threat actor, their known wallet addresses, and any associated entities against:
- OFAC Specially Designated Nationals (SDN) list
- UK HM Treasury sanctions list (OFSI)
- EU consolidated sanctions list
- UN Security Council sanctions
We've walked away from negotiations specifically because of sanctions risk. It's not optional — it's a legal requirement. Our full sanctions compliance guide covers this in detail.
The Negotiation Itself
Opening Communication
Your first message sets the tone. Here's what works and what doesn't:
Do
- Be professional and measured
- Acknowledge the situation without panic
- Ask for proof of decryption capability
- Request clarification on data exposure claims
- Establish you need time to consult decision-makers
Don't
- Reveal urgency or desperation
- Mention cyber insurance coverage
- Give exact budget figures
- Make threats or aggressive statements
- Reveal your recovery options
Proof of Life
Before any serious discussion, always require proof that decryption works. Send 2-3 non-critical encrypted files for test decryption. This achieves three things:
- Confirms the attacker actually has working decryption keys
- Buys you time while you assess recovery options
- Establishes a pattern of communication on your timeline
Negotiation Tactics That Work
| Tactic | How It Works | Typical Reduction | When to Use |
|---|---|---|---|
| Controlled delay | Introduce legitimate reasons for slow responses — board approval, legal review, procurement processes. Extends timeline without antagonising. | 15-25% | Almost always. Time is usually your friend. |
| Financial hardship | Present genuine constraints. Small business positioning. Can't-afford framing backed by plausible context. | 30-50% | SMBs facing disproportionate demands. |
| Partial recovery leverage | Signal (without revealing details) that you have some recovery capability, reducing the attacker's leverage. | 20-40% | When you have partial backups but need full decryption. |
| Counter-offer anchoring | Start at 10-20% of the initial demand. Establishes a negotiation range significantly below the ask. | 40-70% | Standard approach for high initial demands. |
| Split deal | Negotiate payment in stages — partial payment for decryption key, remainder after verification. | 10-20% | Large demands where trust is low. |
The 80% Rule
Across our 235 cases, successful negotiations follow a remarkably consistent pattern:
Groups that refuse any negotiation are rare. Even the most aggressive operators understand that some payment beats no payment. The question isn't whether they'll negotiate — it's how far they'll move.
Reading the Other Side
Threat actor behaviour tells you a lot about your position:
- Quick responses: They're motivated. You likely have more leverage than you think.
- Deadline threats: Usually bluffs the first time. Real deadlines get extended 70% of the time when engagement continues.
- Publishing previews: They're trying to create urgency. Stay focused on negotiation, not intimidation.
- Going silent: Either they're managing many victims or testing your patience. Wait them out.
- Reducing demands unprompted: Weak position. Push for more reduction.
When NOT to Negotiate
Negotiation isn't always the right path. Based on our experience:
Walk away when:
- Clean, tested backups exist and recovery time is acceptable
- Free decryptor available (check No More Ransom)
- Sanctions risk confirmed — no amount of negotiation skill makes paying a sanctioned entity legal
- Group has poor track record of providing working decryptors (<50% success rate)
- Data wasn't actually stolen (confirmed through forensic investigation)
Real-World Case Studies
Case 1: Manufacturing Company — £2.3M Demand
Situation: Production lines down across three facilities. Data exfiltration confirmed. No viable backups.
Group: Tier-1 ransomware operator with reliable decryption track record.
Approach: Controlled delay (board approval narrative), financial hardship positioning (single-product manufacturer), counter-offer anchoring at £300k.
Timeline: 9 days of negotiation across 47 messages.
Case 2: Professional Services Firm — $800k Demand
Situation: Client data stolen. Regulatory notification obligations. Partial backups available for some systems.
Group: Mid-tier group with moderate reputation.
Approach: Leveraged partial recovery capability. Used regulatory timeline to create legitimate delay. Counter-offered at $75k.
Timeline: 5 days, 23 messages.
Case 3: Healthcare Provider — $3.1M Demand
Situation: Patient records encrypted. Emergency systems affected. Media attention imminent.
Group: High-profile group with strong decryption track record.
Approach: Rapid engagement due to patient safety concerns, but maintained professional negotiation posture. Did not reveal insurance coverage. Used healthcare hardship and patient impact narrative.
Timeline: 3 days, 31 messages (accelerated timeline due to patient safety).
After the Negotiation
Whether you pay or recover without payment, the work isn't done:
- Document everything — negotiation logs, payment records, decryption verification. Your insurer and legal team will need this.
- Verify decryption — test on non-critical systems first. Confirm file integrity before declaring recovery.
- Address root cause — how did they get in? If you don't fix the entry point, you'll be back at this table.
- Regulatory notifications — GDPR gives you 72 hours from discovery. UK ICO expects prompt notification. Don't let negotiation timelines override compliance obligations.
- Post-incident review — what worked, what didn't, what changes are needed. Our first 72 hours guide covers the full recovery process.
The Bottom Line
Ransomware negotiation is not about being tough or clever. It's about being prepared, informed, and patient. The organisations that get the best outcomes are those that:
- Engage professional negotiators early (not after they've already started talking)
- Make decisions based on data, not fear
- Understand their actual options before the conversation starts
- Never reveal more than necessary to the threat actor
If there's one thing we've learned from 235 negotiations, it's this: the initial demand is never the final price. The question is whether you have the expertise and discipline to find the real number.
Need Negotiation Support Right Now?
Our ransomware negotiation team is available 24/7. Senior practitioners with direct experience across every major ransomware group.