Inside a Ransomware Negotiation: What Actually Happens After the Ransom Note Appears

The Moment Everything Stops

Imagine walking into your office on a Monday morning. You turn on your computer. Instead of your desktop, you see a red screen with a message: "All your files have been encrypted. To recover them, you must pay 15 Bitcoin (approximately $500,000) within 72 hours. If you do not pay, your files will be permanently destroyed, and all sensitive data we have exfiltrated will be published on our leak site for the world to see."

Below the message is a link to a Tor-hosted chat portal, a unique victim ID, and a countdown timer.

Your heart drops. You try opening a Word document — gibberish. A spreadsheet — gibberish. Your email archives — encrypted. The company database — locked. The backup server — also encrypted (they got there first).

This is the moment where everything you thought you knew about cybersecurity becomes real. And what happens in the next 24 to 72 hours will determine whether your organization survives, pays a life-changing sum to criminals, or loses everything.

Let me walk you through what actually happens behind the scenes.

Hour 0-4: The Scramble

The first hours are chaos. Nobody knows the scope of the damage. IT staff are running from machine to machine trying to determine what's encrypted and what isn't. Executives are asking questions nobody can answer yet. Someone calls the company's cyber insurance provider. Someone else calls law enforcement.

The first critical decision: should the organization engage with the attackers? This is where the ransomware negotiator enters the picture.

The Negotiator

Most organizations don't negotiate directly with ransomware gangs. They hire professional ransomware negotiators — specialists from incident response firms like CrowdStrike, Mandiant, Coveware, GroupSense, or Kroll who have experience communicating with specific ransomware groups and understanding their patterns.

The negotiator's job isn't just to haggle over the price. It's to buy time while the technical team assesses the situation, determine if decryption is possible without paying, understand which group is responsible and what their track record is for actually providing working decryption keys, evaluate whether the attacker truly has exfiltrated sensitive data, and ultimately advise the organization on whether paying is worth the risk.

Negotiators communicate with the attackers through the Tor chat portal or encrypted email channel specified in the ransom note. The conversations are surprisingly structured — many ransomware groups operate with customer service-like professionalism, because their business model depends on victims believing that paying will actually result in data recovery.

The Negotiation Itself

Here's what most people don't realize: the initial ransom demand is almost always negotiable. Ransomware groups typically start with a high number and expect to settle for less. The negotiation follows patterns that experienced negotiators recognize.

Opening Contact

The negotiator makes initial contact through the provided channel, usually within the first 12-24 hours. The message is careful — establishing communication without committing to anything. "We've received your message. We're reviewing the situation and need time to understand the scope. Please provide proof that you can decrypt our files."

Asking for proof of decryption is standard. The attacker is expected to decrypt a few test files to demonstrate they actually have the decryption key. If they can't — or won't — that's a red flag that paying might not result in recovery.

The Back and Forth

The negotiator will typically present reasons why the victim can't afford the full ransom: the company is smaller than the attacker assumed, revenue has been impacted, insurance won't cover the full amount. This isn't just strategy — it's often genuinely true.

The attacker counters. Both sides know the range. Research by Coveware and other firms shows that most negotiations result in the final payment being 20% to 60% of the initial demand. A $500,000 demand might settle at $150,000 to $300,000.

Throughout this process, the negotiator is buying time. Every hour of negotiation is an hour the technical team uses to attempt data recovery from backups, search for decryption tools (some ransomware strains have been cracked by security researchers), assess the extent of data exfiltration, and prepare for either outcome — paying or not paying.

The Double Extortion Pressure

Modern ransomware is almost always double extortion: the attackers encrypt your files AND steal a copy of your sensitive data before encrypting. If you refuse to pay, they threaten to publish the stolen data on a dark web leak site.

This changes the calculation significantly. Even if you have backups and can restore your files without paying, the data exfiltration creates a separate threat: regulatory fines for data breaches, lawsuits from affected customers, competitive damage from leaked business secrets, and reputational harm.

The negotiator must assess whether the attacker actually has the data they claim to have. Sometimes the attackers bluff about the scope of exfiltration. Sometimes they provide samples to prove they have sensitive files. The credibility of this threat heavily influences the decision to pay.

The Decision: Pay or Don't Pay

This is the hardest moment. There is no right answer that applies to every situation.

Arguments Against Paying

Paying funds criminal organizations and encourages future attacks. There's no guarantee the decryption key will work — some groups provide faulty or incomplete decryptors. There's no guarantee the attackers will actually delete the stolen data — many don't, and some re-extort the same victim months later. US Treasury OFAC regulations make it illegal to pay sanctioned entities — and some ransomware groups are sanctioned. Paying doesn't fix the vulnerability that allowed the attack in the first place.

Arguments For Paying

The business cannot survive prolonged downtime. Backups are encrypted or don't exist. The cost of reconstruction far exceeds the ransom. Sensitive data will be leaked, causing regulatory and legal consequences that exceed the ransom amount. Employees' jobs depend on the company recovering.

The FBI's official position is that they discourage paying ransoms but acknowledge that each organization must make its own decision based on its circumstances. In practice, Coveware reported that 28% to 41% of ransomware victims paid the ransom in recent quarters — a number that's been gradually declining as organizations improve their backup strategies and incident response capabilities.

After the Decision

If the Organization Pays

Payment is made in cryptocurrency — typically Bitcoin or Monero — to a wallet address provided by the attackers. The negotiator facilitates the transaction, often through specialized cryptocurrency services that handle compliance and regulatory requirements.

After payment is confirmed, the attacker provides a decryption tool. The technical team tests it, then begins the painstaking process of decrypting files across the organization. This can take days to weeks, depending on the scope of encryption.

Even after successful decryption, the organization isn't safe. The attackers may have left backdoors for re-entry. A full security assessment and remediation is necessary — identifying how the attackers got in, closing that vulnerability, checking for persistence mechanisms, and rebuilding compromised systems.

If the Organization Doesn't Pay

The organization relies on backups, manual reconstruction, or accepts the loss. If backups exist and are clean, recovery begins — though restoring from backup can still take days to weeks for complex environments.

If the attackers have stolen data, the organization prepares for potential publication: notifying affected individuals, engaging legal counsel, preparing regulatory filings, and managing public communications.

Some organizations that refuse to pay discover that the attackers eventually move on — maintaining a leak site and managing victim communications costs the attackers time and resources too. But this isn't guaranteed, and some groups are persistent.

What This Means for You

Whether you're an individual or a small business owner, the lessons from ransomware negotiations apply directly.

Backups are the ultimate negotiating leverage. Organizations with clean, tested, offline backups have the power to refuse payment. Without backups, the attacker holds all the cards. This is why our backup strategy guide emphasizes offline and offsite copies that ransomware can't reach.

The attack usually starts with stolen credentials or phishing. Most ransomware gangs buy initial access from infostealer logs or credential marketplaces. Unique passwords, a dedicated password manager, and MFA make initial access dramatically harder.

Speed of response matters. Organizations that detect ransomware early — before it spreads to backup systems — have significantly better outcomes. Security monitoring and alerting aren't just corporate concerns; even home users benefit from keeping security tools active and paying attention to unusual device behavior.

The 72-hour deadline is artificial. Ransomware groups create urgency to prevent rational decision-making — the same psychological manipulation used in all scams. In practice, deadlines are almost always extended during negotiation.

Ransomware isn't going away. The economics are too favorable for attackers. But the defense — strong backups, unique credentials, MFA, and a plan — gives you the power to say no.

And that's the only leverage that matters.

Prevention: The Best Negotiation Is the One You Never Have

The entire nightmare described in this article — the encrypted files, the ransom demands, the agonizing decisions, the hundreds of thousands of dollars — is preventable. Not theoretically preventable. Actually, practically preventable with measures that are available to every organization and individual.

Offline backups. The single most powerful defense against ransomware. If your backups are stored offline and disconnected from your network, the ransomware can't reach them. You restore from backup and tell the attacker to pound sand. This is why our backup guide emphasizes the 3-2-1 rule with disconnected copies.

Credential hygiene. Most ransomware operators buy initial access from infostealer logs. A password manager with unique passwords for every account and MFA on everything important makes initial access orders of magnitude harder.

Email security. Phishing remains the most common entry point. The ability to recognize and report suspicious emails — combined with technical controls like SPF, DKIM, and DMARC — blocks the majority of ransomware delivery attempts.

Patching. Known vulnerabilities in internet-facing systems are the second most common entry point. Timely patching closes these doors before attackers walk through them.

Network segmentation. Even if an attacker gains access to one system, proper segmentation prevents them from moving laterally to encrypt the entire network. This is the same principle behind putting IoT devices on a guest network at home.

Ransomware negotiations exist because prevention failed. Every dollar spent on prevention is worth a hundred dollars saved on response. Every hour spent on backup testing is worth a hundred hours of recovery.

The best position in a ransomware negotiation is the one where you don't need to negotiate at all.