It’s Friday afternoon. The weekend is about to kick off when suddenly you receive word from your IT department that all systems have been encrypted.
The hackers, a ransomware group that’s been making its rounds inflicting financial pain and misery on multiple companies, communicates that all will go back to normal if you just do one little thing: pay them $5 million or the rest of the world, including those pesky competitors that have been biting at your heels, will get a front-row seat to the exposure of your precious data.
What do you do? What don’t you do? Your mind starts racing as the weight of the world — your company’s business and future — hangs in the balance. As the company’s CEO, you have to decide what to do next or face the potential consequences.
As someone who has successfully negotiated more than 40 ransomware incidents across 15 countries, including the US, EU nations, the Middle East and Asia-Pacific regions, I have firsthand experience on how this story should play out.
It starts with understanding exactly who and what you’re dealing with.
First, at this scale, the ransomware gang is likely running a professional SaaS-style operation. Second, they’re on the hunt for any signs of weakness from their victims. Third, and most crucially, these hackers are on their own deadline.
Ransomware Hackers are Highly Sophisticated: Be Prepared
Major ransomware gangs like LockBit, BlackCat and RansomHub run like highly organized SaaS vendors.
With affiliates, customer ‘support’ dashboards and all the sophisticated processes that make a business a business, these gangs are able to effectively target hundreds of organizations.
At the time of its takedown in 2024, LockBit targeted over 2,000 companies worldwide and received over $120 million in ransom.
This sophistication makes them dangerous but not invincible. Organizations that match their preparation with a ransomware gang’s own can leverage this point to reduce demands or even call them out on bluffs.
While negotiation is one viable path when the business impact is critical, it is not without risk, and in many cases, the decision to or engage must be made in consultation with legal, insurance and incident-response advisors.
Organizations should proactively establish relationships with third-party ransomware negotiators and tabletop test these scenarios regularly, before a breach occurs.
Practically speaking, all organizations should develop a ransomware playbook covering exactly how to respond to a ransomware attack and extortion.
This playbook should include contacts for legal help, communications experts, and a negotiation expert on call. It should also outline who in the company will do what, what will be said, and how it will be said.
Ransomware Hackers are Shrewd: Don’t Let Them In
The more information hackers have, the easier it is to extort a company. For this reason, they will be on the hunt for highly sensitive information before attacking. By knowing exactly how much money an organization is working with and whether they have cyber insurance, the hackers will cater to demands in a way that will most likely result in payment.
In order to deny them these opportunities, organizations must first keep these sensitive documents hidden. According to Verizon’s 2025 DBIR, 88% of breaches involved the use of stolen credentials, and 54% of ransomware victims had domains exposed in stealer log marketplaces. By keeping credentials and domains locked down, organizations immediately reduce their risk of this information being accessed.
However, in the case that these documents are leaked and hackers become aware of financial details, it’s important to remain calm and collected. One key tactic is the logical, acceptable and plausible (LAP) Test, in which all counteroffers should be logical, acceptable and plausible. For instance, if the attacker demands $10 million, a counteroffer of $300,000 with an explanation tied to liquidity or board restrictions might qualify.
There is no taking back that these hackers now have this information. Instead, victim organizations must always keep details close to their chest and limit the possible escalation of threats. They should maintain vague language to preserve the bargaining range, and they should never concede that they can pay because of insurance.
Bear in mind that regulatory and legal considerations vary significantly across jurisdictions. What is permissible (or insurable) in one country may be restricted or even illegal in another, so legal counsel with local expertise is indispensable.
Ransomware Hackers are Impatient: Time is the Secret Weapon
Organizations dealing with ransomware extortion are under strict deadlines, but so are the hackers behind these attacks. Not only do hackers want to move on to the next target as soon as possible, but they are also dealing with the risk of law enforcement, safe-house security and server time.
By deliberately slowing down the negotiation process, organizations can make hackers antsy enough to drop their price significantly.
Companies under attack can slow this timeline by asking for proof-of-life data or proof that the decryptor works. They can also delay responding. In a ransomware playbook, internal rules on communication timing should be strictly outlined.
For example, no price discussions should happen before day two. The ransomware negotiator that an organization employs should also be well aware of different gangs’ histories regarding how soon demands have been discounted in previous attacks.
For example, in one incident in the Asia-Pacific region, when the attackers demanded US $8 million, we delayed substantive responses for 36 hours, asked for proof of exfiltration, and were able to reduce the demand by over 60% while buying critical time to restore key systems.
Preparation Over Knowledge
Knowing these three traits about hackers is a major advantage for ransomware negotiations. However, knowing is not the same as preparing. Organizations of all sizes should prepare to the best of their ability. Ideally, they would do this with a ransomware negotiation playbook that is regularly updated, as well as frequent mock-negotiation practices for how to respond in the case of an attack.
You can’t negotiate with hackers from a place of fear, but you can turn their urgency against them with the right playbook, people and preparation.
Start today by appointing your ransomware-response lead, running your first tabletop exercise in the next 30 days and revisiting your playbook, which should integrate legal, communications, insurance and cyber-resilience, at least once every year.
