How do companies negotiate a ransomware attack?

In the current cybersecurity landscape, one of the most daunting and frequent threats organizations face is ransomware. This type of cyberattack not only jeopardizes data and operational capabilities of companies but also poses a critical dilemma: should the victims pay the ransom demanded by cybercriminals? Through a detailed analysis of tactics and strategies used by both attackers and victims, this article delves into the complexities of ransomware negotiations and provides strategic advice for managing these crises.

Context and Challenges of Ransomware

Ransomware is a type of malware that encrypts the files of a victim, demanding payment to restore access. This attack can cripple an organization’s operations, leading to significant economic losses and reputational damage.

Faced with a ransomware attack, organizations encounter a critical decision: to pay or not to pay the ransom. Although most cybersecurity experts advise against paying, arguing that it could incentivize further attacks, the reality is that some companies might be forced to consider payment as a viable option due to a lack of alternatives.

Perspectives from Cybersecurity Experts

Case Studies and Data Analysis

Pepijn Hack, a cybersecurity analyst from Fox-IT, along with his colleague Zong-Yu Wu, studied over 700 ransomware negotiations between 2019 and 2020. Their analysis revealed patterns in how attackers set ransom prices and how victims can negotiate more favorable terms.

Economic Factors in Ransom Pricing

Attackers consider various economic factors when determining the ransom amount, such as the cost of hosting the malware, penetration testing, and toolset development. Additionally, there is a negative correlation between the ransom price and victims’ willingness to pay; higher prices generally result in fewer payments.

Effective Negotiation Strategies

Hack and Wu’s data show that small and medium-sized businesses typically pay less in absolute terms, but more as a percentage of their income. Moreover, they highlight that attackers usually have an informational advantage, as they are more familiar with the ransomware terrain than the victims, who are often novices in these situations.

Strategies for Managing Ransomware Negotiations

Negotiation as a Business Transaction

Hack suggests treating ransom negotiation as a business transaction. Maintaining professionalism and being respectful during communications can lead to better outcomes. Asking for more time and not succumbing to attackers’ pressure are key tactics that can help improve the terms of any agreement.

Pay Less and Faster

An effective strategy for victims who prefer to resolve the situation quickly is to offer a smaller payment immediately rather than a larger amount later. This tactic takes advantage of the attackers’ impatience to close the deal and move on to their next target.

Refusing to Pay Based on Financial Inability

In some cases, arguing that the organization cannot afford the demanded amount can lead to a significant reduction in the ransom. This strategy has proven effective, especially when victims can convince attackers of their genuine financial limitation.


Although ransomware negotiations present a considerable challenge, understanding the dynamics and strategies involved can empower organizations to better manage these situations. By recognizing that attackers are also susceptible to mistakes and negotiating pressure, victims can find ways to level the playing field and, in some cases, avoid paying or significantly reduce the ransom amount. Preparation, information, and a strategic approach are essential for successfully navigating the complicated ransomware landscape.

Sheridan, K. (2021, noviembre 15). How to negotiate with ransomware attackers. Dark Reading.