When ransomware strikes, what’s your move?

Should we negotiate? Should we pay? These are the questions every organization faces when cybercriminals lock their data. By the time attackers have encrypted your systems, the focus shifts from prevention to response. It’s no longer about how it happened, it’s about what you’re willing to do next.

Ransomware gangs are becoming more organized and aggressive, and many now operate like businesses. They have customer service, payment portals, and negotiation playbooks. No organization is off-limits. Hospitals, schools, critical infrastructure, and global companies have all been hit.

A Zscaler report suggests that the massive $75 million ransom paid to the Dark Angels group may have encouraged other ransomware operators to push for higher payouts.

On the positive side, there’s a promising trend. According to Chainalysis’ latest report, an increasing number of victims are refusing to pay the ransom.

This shift may be partly driven by recent global law enforcement actions, which have dealt significant blows to ransomware gangs. These include the dismantling of LockBit’s infrastructure, charges against the Phobos ransomware administrator, the disruption of the Radar/Dispossessor group, and the takedown of ALPHV/BlackCat leak sites.

It’s a constant cat-and-mouse game between criminals and law enforcement.

Why do companies choose to engage in ransomware negotiations?

There’s no simple answer to this question. Governments and law enforcement generally advise against paying, arguing that doing so not only reinforces the cycle of cybercrime but also finances organized crime and potentially supports state-sponsored cyber operations.

But others say the first responsibility is to protect the organization and its stakeholders. In that moment, it’s less about ethics and more about survival.

For many, paying the ransom feels like the fastest way to get back online. The longer systems stay down, the higher the cost.

In some cases, paying may be the only option. If backups are compromised or unavailable, companies might have no choice but to negotiate in order to regain access to their data.

And what about hospitals? If they can’t access patient records, or if utilities can’t restore power, lives are at stake. In those situations, there’s little room for compromise. However, as seen in the case of the Change Healthcare data breach, paying the ransom does not guarantee the return of critical data.

In May 2021, Colonial Pipeline, a major US fuel supplier, was attacked by the DarkSide ransomware group. To restore operations minimize fuel supply disruptions, the company paid a ransom of $5 million in ransom. The Department of Justice successfully recovered $2.3 million of the ransom payment through coordinated investigative efforts.

Tim Morris, Chief Security Advisor at Tanium, said: “If it was just a legal and ethical consideration, as a matter of principle, you should not pay, and law enforcement will agree with that approach. That said, sometimes, a ransomware payment comes down to a business decision rather than an ethical question. Doing the ethical thing may cost much more than just paying the ransomware.”

How professionals handle the process

When a company decides to negotiate, professionals step in to manage the situation. Incident response teams often lead the charge, working with legal, IT, and communications teams to keep things under control.

Third-party negotiators are commonly brought in. These are specialists who know how to talk to attackers without giving in too easily. They keep negotiations professional and try to lower the ransom demand without increasing the risk of data loss.

“A third-party highly skilled incident response team can offer businesses a plethora of expertise under one roof that may be missing from traditional in-house security teams,” said Azeem Aleem, MD of UK and Northern Europe at Sygnia.

Attackers often follow a script. Some act aggressive at first, then shift to being helpful once talks begin. They use pressure and fear to get a fast payment. They may threaten to leak data, raise the ransom, or set fake deadlines. Good negotiators know not to panic.

Stalling is a common tactic, as time can work in your favor. Extending the conversation gives teams time to restore backups, assess legal risks, or involve law enforcement.

The first demand is rarely final. Skilled negotiators offer lower amounts, ask for discounts, or request more time without upsetting the attacker.

Before any payment, negotiators ask for a sample file to be unlocked. If attackers can’t do this, the whole negotiation may fall apart.

Involving law enforcement in a ransomware attack is a critical step, but timing is key. The sooner authorities are notified, the better their chances of investigating the attack, identifying the criminals, and preventing future attacks. Law enforcement usually doesn’t negotiate with attackers, but they can help guide the company through the process.

Companies should also check if their cyber insurance policy requires notifying law enforcement. Many policies include this as part of the claims process.

Building a ransomware response plan

Preparation

Organizations need a ransomware playbook. This plan should lay out steps for handling an attack, including how to decide on negotiations. A predefined framework helps teams act quickly and confidently during a crisis.

Tabletop exercises

Simulated ransomware attacks, or tabletop exercises, prepare teams for real incidents. These mock drills help identify weaknesses and improve decision-making. They also allow key players to practice handling high-pressure situations.

“Businesses should ensure their incident response plans address the unique challenges posed by data theft. This includes preparing for potential double extortion scenarios and being ready to manage the fallout with customers and other stakeholders ,” noted Tim West, Director of Threat Intelligence and Outreach at WithSecure.

When ransom negotiations fail

The following steps outline how organizations can respond in order to minimize the impact of a ransomware attack:

Assess the situation: Determine which systems are affected and whether backups are available.

Engage experts: Involve cybersecurity professionals to analyze the breach and assist in recovery efforts.

Isolate systems: Disconnect compromised devices from the network to prevent further spread of the attack.

Notify authorities: Report the incident to law enforcement and relevant regulatory bodies as required.

Communicate transparently: Inform stakeholders about the breach and the steps being taken to address it.

Recover data: Utilize clean backups to restore systems and data, ensuring all malware is eradicated.

Strengthen defenses: Update security measures, patch vulnerabilities, and train employees to prevent future incidents.

Review and learn: Conduct a post-incident analysis to identify weaknesses and improve response strategies.

When every option hurts

As we can see, there are no rules in these negotiations, because there is no honor among thieves. The patterns these groups once followed are shifting as they refine their tactics. Nobody wants to be in the shoes of the CISO or the organization in these situations.

The psychological pressure can be overwhelming, as you cannot predict the outcome, and neither solution is ideal. If you pay, companies lose money. If you don’t, you risk losing not only data but also your clients’ trust, which can be even more devastating for the future of your business.