Ransomware Negotiation Services
Direct adversary negotiation, sanctions compliance, and cryptocurrency advisory. We lower demands, validate decryptors, and never charge success fees.
Written by Simon Lynge, Director DFIR — ChCSP, CREST IR | Last updated: March 2026
The Most Critical Decision You'll Make
A ransomware demand puts you under extreme pressure at the exact moment you need to think clearly. The threat actor's leverage is time — every hour of downtime costs you money, and they exploit that to push for faster, larger payments.
Panicked or inexperienced negotiation plays into that pressure, resulting in overpayment, unreliable decryptors, and slower recovery. Our negotiators have handled dozens of active cases across LockBit, BlackCat, Akira, and Qilin. We know which groups respond to which approaches and which ones to push back against.
What We Provide
- Threat actor profiling — you know who you are dealing with: their negotiation patterns, decryptor reliability, and known behaviours
- Sanctions screening — OFAC, OFSI, and EU compliance checked before any engagement or payment, fully documented and legally defensible
- Negotiation strategy — a tailored approach based on the group profile, your situation, and your recovery options
- Negotiation execution — we handle all communications with the threat actor and brief you at every stage
- Cryptocurrency due diligence — wallet tracing, blockchain analysis, and exchange KYC compliance
- Decryptor testing — we test decryptors on sample data and confirm they work before any payment is made
- Payment facilitation — where legally permissible, we manage the cryptocurrency acquisition and transfer
- Parallel recovery planning — negotiation runs alongside technical recovery, not instead of it
Transparent Fee Structure
Fixed Professional Services Fee
A flat engagement fee covers the full negotiation: threat actor profiling, sanctions screening, all communications, decryptor validation, and incident documentation. Agreed upfront. No surprises.
Performance Component (aligned with your savings)
For clients who prefer outcome-aligned pricing, we offer a small tiered percentage on the discount achieved from the original demand:
| Discount Achieved | Performance Fee |
|---|---|
| Up to 30% | 5% of discount amount |
| 31% – 60% | 4% of discount amount |
| 61% – 80% | 3% of discount amount |
| Over 80% | 2% of discount amount |
Example: Demand £500,000 → Negotiated to £100,000 → Discount = £400,000 (80%)
Performance component: 3% × £400,000 = £12,000
No Surprise Fees
Everything is agreed in writing before we begin. Our incentive is to minimise your total loss — not to earn a percentage of the payment. Ask any negotiation firm you are considering to put their fee structure in writing.
Compliance Framework
Every engagement starts with sanctions screening. We check the threat actor, associated wallets, and infrastructure against OFAC (US), OFSI (UK), and EU consolidated sanction lists. The entire process is documented. We will not facilitate a payment where sanctions risk cannot be mitigated.
If we identify a sanctions issue, we advise on legal position and work with your legal counsel. We maintain relationships with specialist sanctions lawyers who handle these cases regularly.
Frequently Asked Questions
Should we always negotiate?
Not always. If your backups are clean and recovery is faster than negotiation, paying is rarely the right answer. We assess recovery options alongside negotiation and give you an honest picture of both paths. We never push you toward payment if recovery is viable.
Will negotiating make us a target again?
There is no evidence that negotiating once makes you more likely to be targeted again. Attackers choose victims based on opportunistic access, not payment history. What matters is closing the initial access vector, which we work on in parallel.
What if the decryptor doesn't work?
Decryptor reliability varies by group and encryption implementation. We always test on a sample of encrypted files before any payment. If the test decryptor fails, we renegotiate. Every step is documented for your insurer.
Can you help even if we've already started communicating?
Yes. We take over or advise on existing communications. The earlier you bring us in, the stronger your position — but we can course-correct even mid-negotiation.
What's the typical timeline?
Most negotiations reach resolution within 3–10 days. We run parallel recovery efforts throughout so your timeline does not depend solely on the negotiation outcome.