.png)
1 month ago
4
Ensar Seker, Vice President of Research & CISO, SOCRadar
September 2, 2025
4 Min Read
_Andrey_Khokhlov_Alamy.jpg?width=1280&auto=webp&quality=80&format=jpg&disable=upscale "Person's hands on a keyboard; image is blurred and has a blue tint")
Source: Andrey Khokhlov via Alamy Stock Photo
COMMENTARY
Imagine this. It's Monday at 9 a.m. The CEO of a major company receives a notification that all systems have been encrypted. The ransomware group behind the attack demands $30 million paid within 72 hours or else all that encrypted data will be released to the entire world.
Before panic sets in, there are three things to remember about the criminals on the other end. First, at this scale, they're likely running a professional software-as-a-service (SaaS)-style operation. Second, they're on the hunt for any signs of weakness from their victims. Third, and most crucially, these hackers are on their own deadline.
Modern ransomware crews are more sophisticated, opportunistic, and impatient than most give them credit for. A good ransomware negotiation exploits all three of these traits. If hackers can prey on the psychology of the organizations they're targeting, then organizations, with the help of a skilled ransomware negotiator, can leverage hacker psychology just the same.
Hackers Are Sophisticated: Why Preparation Beats Panic
Major ransomware gangs like LockBit, BlackCat, and RansomHub run like highly organized SaaS vendors. With affiliates, customer "support," dashboards, and all the sophisticated processes that make a business a business, these gangs are able to effectively target hundreds of organizations. At the time of its takedown in 2024, LockBit targeted more than 2,000 companies worldwide and had received over $120 million in ransom.
Related:Bridgestone Americas Confirms Cyberattack
This sophistication makes it dangerous but not invincible. Organizations that match their preparation with a ransomware gang's own can leverage this point to reduce demands or even call them out on bluffs.
Organizations should proactively establish relationships with third-party ransomware negotiators and tabletop test these scenarios regularly, before a breach occurs. Practically speaking, all organizations should develop a ransomware playbook covering exactly how to respond to a ransomware attack and extortion. This playbook should include contacts for legal help, communications experts, and a negotiation expert on call. It should also outline who in the company will do what, what will be said, and how it will be said.
Hackers Are Opportunistic: Deny Them Easy Access
The more information hackers have, the easier it is to extort a company. For this reason, they will be on the hunt for highly sensitive information before attacking. By knowing exactly how much money an organization is working with and whether they have cyber insurance, the hackers will cater demands in a way that will most likely result in payment.
Related:Blast Radius of Salesloft Drift Attacks Remains Uncertain
To deny them these opportunities, organizations must first keep these sensitive documents hidden. According to Verizon's 2025 "Data Breach Investigations Report," 88% of breaches involved the use of stolen credentials and 54% of ransomware victims had domains exposed in stealer log marketplaces. By keeping credentials and domains locked down, organizations immediately reduce their risk of this information being accessed.
However, in the case that these documents are leaked and hackers become aware of financial details, it's important to remain calm and collected. One key tactic is the LAP test, in which all counteroffers should be logical, acceptable, and plausible. For instance, if the attacker demands $10 million, a counteroffer of $300,000 with an explanation tied to liquidity or board restrictions might qualify.
There is no taking back that these hackers now have this information. Instead, victim organizations must always keep details close to their chest and limit the possible escalation of threats. They should maintain vague language to preserve the bargaining range, and they should never concede that they can "pay because of insurance."
Related:Iran MOIS Phishes 50+ Embassies, Ministries, Int'l Orgs
Hackers Are Impatient: Time Is the Secret Weapon
Organizations dealing with ransomware extortion are under strict deadlines, but so are the hackers behind these attacks. Not only do hackers want to move on to the next target as soon as possible, but they are also dealing with the risk of law enforcement, safe-house security, and server time.
By deliberately slowing down the negotiation process, organizations can make hackers antsy enough to drop their price significantly. Companies under attack can slow this timeline by asking for proof-of-life data or proof that the decryptor works. They can also delay responding. In a ransomware playbook, internal rules on communication timing should be strictly outlined. For example, no price talk before day two. The ransomware negotiator that an organization employs should also be well aware of different gangs' histories regarding how soon demands have been discounted in previous attacks.
Preparation Over Knowledge
Knowing these three traits about hackers is a major advantage for ransomware negotiations. However, knowing is not the same as preparing. Organizations of all sizes should prepare to the best of their ability. Ideally, they would do this with a ransomware negotiation playbook that is regularly updated, as well as frequent mock-negotiation practices for how to respond in the case of an attack.
You can't negotiate with hackers from a place of fear — but you can turn their urgency against them with the right playbook, people, and preparation.
