Cybercrime Cybersecurity Liability of the management

Strategies for ransomware negotiation

Is there a strategy for dealing with ransomware? Ransomware is a type of malware that blocks access to the victim’s system or data and demands a ransom to unlock or release it. Negotiations with cybercriminals over such attacks can be complex and risky.

Ransomware attacks are one of the biggest threats to companies worldwide: dealing with such crises correctly, especially negotiating with the attackers, can be crucial to minimizing the damage and regaining control. I am an atypical source of information here because I usually work as a lawyer for the attackers and therefore have completely different insights.

I would like to loosely explore the question of whether there can be fundamental strategic considerations on this topic. And indeed, based on current studies and practical experience, important insights can be gained and mistakes that can occur during negotiations can be avoided.

Ransomware: General considerations

Of course, there are some general strategies and considerations that I would like to start with:

  • Preparation and assessment: Before negotiations, it is important to accurately assess the situation. This includes understanding the nature of the attack, identifying the stolen or encrypted data and assessing the credibility of the attacker’s threats. Cybersecurity experts should be consulted to assess the technical side.
  • Communication strategies: Communication with the attacker should be documented and preferably take place via secure channels. It is important to remain objective during a ransomware negotiation and not disclose any information that could weaken the company’s position.
  • Negotiating the ransom: In some cases, it is possible to negotiate the amount of the ransom. However, it should be borne in mind that paying a ransom can encourage further attacks and does not always guarantee that the data will be released or decrypted.
  • Legal and regulatory considerations: The involvement of legal experts is crucial as the payment of ransom may be illegal or have regulatory implications in some jurisdictions.
  • Consider alternatives to payment: If a ransomware negotiation is pending, it should be checked whether backups are available that would allow the data to be restored without payment. In addition, security companies can sometimes help to break the encryption without the cooperation of the attackers.
  • Long-term measures: Regardless of the outcome of the ransomware trial, a plan should be developed to improve resilience against future attacks. This includes technical protection measures, employee training and the creation of emergency plans.

But it is clear that such strategies must be adapted to the specific circumstances of the individual case. So how can this be made more concrete, more tangible?

Ransomware negotiation: insights from almost 10 years of ransomware plague

Since 2017, ransomware has been a constant problem for the economy. Accordingly, there is now some experience, which is also shared in reports and studies. It can be said that good preparation, the involvement of experts and a clear communication strategy are key components for successful negotiation in the event of ransomware attacks.

By understanding these principles and applying them in a ransomware negotiation, organizations can better respond to this modern threat and protect their data and integrity. The following factors stand out as commonalities in the overall picture:

Basic strategies

  • Maintain empathy and dignity: Research shows that victims who emphasize empathy, dignity preservation and emotional reassurance can achieve better results in a ransomware negotiation. These approaches can help build a communicative bridge with the attackers, potentially leading to a reduction in the sums demanded.
  • Clear communication and documentation: All communication with the attackers should be carefully documented. This not only creates a clear basis for later legal disputes, but also helps to objectively analyze and understand the negotiation process.
  • Use of negotiation specialists: Specially trained cyber security experts or crisis negotiators can provide valuable support. These specialists know how to communicate with cyber criminals based on psychological and tactical negotiation principles.

Common errors

  • Rapid payments: One of the most common mistakes in a ransomware negotiation is to hastily agree to pay the ransom without considering alternative solutions, such as restoring the data from backups.
  • Lack of preparation: Companies that don’t have clear policies and plans in place in the event of a ransomware attack tend to make poorer decisions under pressure.
  • Insufficient security measures: After an attack, it is not uncommon to find that basic security measures have not been implemented or kept up to date.

Strategic planning of negotiations

  • Analyzing the attackers: An in-depth understanding of the attackers, their motives and methods can be crucial. It often turns out that certain ransomware groups are prepared to negotiate the ransom.
  • Determining willingness to pay: A realistic assessment of your own willingness to pay and the possible consequences of non-payment is essential. Ethical and legal aspects should also be taken into account.
  • Long-term measures: Even after a successful negotiation, companies should review and improve their security protocols to prevent future attacks.

The ransomware ecosystem

The threat of ransomware has increased in recent years and several well-known gangs have emerged that use different methods and tools for their attacks. These gangs use sophisticated tactics, techniques and procedures (TTPs) that require organizations to constantly monitor and adapt their security measures. Preparation through ongoing training, regular backups and the implementation of layered security solutions are critical to protecting against these threats.

The following is an overview of some of the best-known ransomware groups and their tools:


  • Tools and techniques: Conti often uses spear phishing and supply chain attacks for initialization. The ransomware itself is known for its fast encryption and uses multithreading to increase efficiency. Conti also operates a portal for post-attack negotiations.
  • Double extortion: They threaten to publish stolen data if the ransom is not paid.
  • Status: Cat-and-mouse at the moment

REvil (Sodinokibi)

  • Tools and techniques: REvil relies on attacks through exploits, such as vulnerabilities in remote desktop services or via compromised managed service providers (MSPs).
  • RaaS: REvil is also known for its ransomware-as-a-service model, which allows other cybercriminals to use the ransomware in exchange for a share of the profits.
  • Status: Investigators proceed successfully in parts


  • Tools and techniques: Ryuk often starts with an email phishing campaign or by using pre-existing backdoors left by other malware such as TrickBot or Emotet.
  • Target-oriented: Ryuk typically targets large organizations and has a preference for public institutions and hospitals.
  • Status: Sanctions are being tried


  • Tools and techniques: Maze uses complicated techniques such as exploiting known vulnerabilities and then escalating privileges within the network.
  • Data exfiltration: Maze was one of the first ransomware groups to begin the practice of exfiltrating data before encrypting it to put additional pressure on victims.
  • Status: Well over, decryption tool available


  • Tools and techniques: DarkSide is known for its “professional” approach to attacks, including providing a detailed payment website and customer support for victims.
  • Industry focus: DarkSide claims to take ethical considerations into account by excluding certain industries such as hospitals or non-profit organizations from their attacks.
  • Status: Well over (?)


  • Tools and techniques: Clop often rely on a combination of phishing campaigns, vulnerability exploits and the use of credential stuffing to initialize their attacks. Once inside the network, they work to disable security measures such as antivirus programs and gain administrative privileges.
  • Focus on software vulnerabilities: Clop specializes in infiltrating entire networks by exploiting vulnerabilities in third-party software that is widely used within corporate networks.
  • Data exfiltration before encryption: Similar to Maze and other ransomware groups, Clop has adopted the tactic of exfiltrating data before encrypting it. This allows them to threaten to release the data if the ransom is not paid.
  • RaaS (Ransomware-as-a-Service): Clop also operates a RaaS model that allows affiliate partners to use the ransomware in return for a commission. This significantly increases the reach of their attacks.
  • Industry focus: Clop is particularly targeting companies in the financial sector, educational institutions and the technology industry.

Common tools in ransomware campaigns

  • Phishing tools: For initial infiltration via email campaigns.
  • Exploit kits: For exploiting known security vulnerabilities in software.
  • Lateral Movement Tools: Tools such as PowerShell, Mimikatz, and Cobalt Strike are used to move further within a compromised network and gain higher privileges.
  • Data exfiltration tools: Tools such as Rclone or MegaSync for exfiltrating sensitive data.

Anatomy of a negotiation strategy

Communication during ransomware attacks

Companies regularly face the challenge of negotiating with cybercriminals who have encrypted their data. An effective negotiation strategy can be crucial to minimize the damage and maintain control. In the following, I will try to show suitable strategies for companies based on game-theoretical analyses and documentation of negotiation dynamics and real-life case studies.

Understanding the negotiation dynamics, initial situation: Ransomware attacks, including ransomware negotiation, can be modeled as an asymmetric non-cooperative two-player game in which incomplete information and strategic decisions play a central role. Attackers need to invest in their attacks and try to set the highest possible ransom amount they think is feasible. This requires a real understanding of the value of the data to the victim as well as the security posture of the attacked organization. I think game theory provides a scientific foundation from which concrete conclusions can be drawn.

In this respect, game theory provides a comprehensive framework for the analysis of ransomware negotiations by modeling the interactions between cybercriminals and affected organizations as a strategic game in which both sides make their decisions based on the expected actions of the other side.

Meaning of communication

The importance of communication, and in particular crisis communication in the event of security incidents such as ransomware attacks, cannot be overstated. In such crisis situations, the way in which a company communicates will often determine how quickly and effectively the incident can be dealt with and what long-term damage the company suffers – both financially and in terms of reputation.

A key aspect of crisis communication concerns talks and negotiations with the attackers themselves. Here, the company is faced with an extremely delicate situation: on the one hand, a negotiation could lead to encrypted data being returned; on the other hand, there is always the risk that payments will further encourage the attackers and possibly lead to renewed attacks. In these negotiations, it is crucial that communication is clear and strategic. Specialist negotiators or even external consultancies are often brought in to ensure that communication is professional and controlled. These experts have experience in dealing with criminals and can help minimize risk and maximize the likelihood of a successful outcome.

At the same time, the company must communicate openly and transparently with the affected customers. A ransomware attack that affects sensitive customer data can severely shake customer trust. It is therefore essential that communication with customers is honest, timely and comprehensive. Customers need to be informed about what has happened, what data has been affected, what steps the company is taking to manage the incident and prevent future attacks, and what measures customers should take to protect themselves. It is important that the company is able to communicate a consistent message. Communication should aim to restore trust and at the same time show that the company is taking the situation seriously and has it under control. This requires not only technical and organizational measures, but also a high degree of empathy and tact. In such moments, customers expect their concerns to be taken seriously and that they receive clear and understandable information.

Another aspect of crisis communication is internal communication. Employees need to know exactly how to behave so as not to exacerbate the situation. Clear instructions and regular updates are essential here. Transparency also plays a major role here in order to avoid uncertainty and rumors.

Game theory concepts and the resulting strategic behaviors in ransomware negotiations

Prisoner’s dilemma

This model illustrates the dilemma situation in which victims find themselves. The decision to pay the ransom is not only based on the direct costs of non-payment (such as data loss or business interruption), but also on the uncertainty regarding the reliability of the attackers. If both parties, i.e. different victims of the same attack, would cooperate (by not paying), they could achieve better overall results, but the fear of the worst possible scenario often leads individual victims to give in.

Signaling and screening

Given asymmetric information, where the attackers know more about their intentions and capabilities than the victims, signals from the attackers (such as the partial release of data) can serve to increase their credibility. Conversely, victims can use screening procedures to assess the seriousness and reliability of the attackers. This dynamic influences how negotiations are conducted and whether payments are made.

Strategic negotiation

This is where strategic games can help to develop optimal behaviors. Victims could, for example, pursue a mixed strategy that includes both payments under certain conditions and the continuation of technical defensive measures in order to increase the costs for the attackers and improve the chances of reaching a solution without full payment.

Maximization of competitive pressure among attackers

When we talk about “competitive pressure” in ransomware scenarios, we are not necessarily referring to direct competition between multiple attackers for the same victim; this is not a realistic scenario. Rather, it refers to ideas such as exerting indirect pressure on attackers by joining collective negotiation pools or using cyber insurance. These groups can pool their resources to achieve a better negotiating position with attackers or develop more effective recovery strategies without payment.

Assessment of the credibility of attackers

Game theory models can help to analyze the trustworthiness of the other party and estimate the extent to which a payment will actually lead to the recovery of the data.

For example, cybercriminals are often keen to build up a “trustworthy” reputation to ensure that their future victims know that they will actually decrypt the data after payment. Victims can exploit this by targeting information or proving that certain attackers have failed to deliver on their promises in the past. This undermines the credibility of the attackers and can lead them to reduce their demands in order to protect their reputation.

Development of robust negotiation guidelines

Strategic analysis can lead to the development of policies and protocols that not only maximize the likelihood of successful decryption, but also reduce the overall cost of the incident.

Victims could also strategically disclose or withhold information about their willingness to pay and their previous interactions with attackers. For example, disclosing information that an organization is unwilling to pay and has instead invested in robust security measures could deter other potential attackers and increase the pressure on the current attacker to find a solution.

Nash balance in ransomware negotiations

The Nash equilibrium, a fundamental concept of game theory, has a special application in ransomware negotiations by shedding light on the interaction patterns between attackers and victims.

The Nash equilibrium exists when neither party can gain an advantage from unilaterally deviating from their chosen strategy, even if the decisions of the other party are known. It illustrates the frequently prevailing situation of mutual distrust, in which neither side has an incentive to deviate from its current course. However, through targeted measures such as signaling and screening, as well as the use of mixed strategies, this balance can potentially be shifted towards more cooperative and mutually beneficial outcomes.

In ransomware scenarios, this balance often manifests itself in a state where neither the attacker nor the victim can derive any additional benefit from deviating from the tactic once chosen – whether by paying the ransom or by refusing to do so.

This is clearly illustrated by the prisoner’s dilemma, a classic situation in game theory. If a victim decides to pay the ransom and the attacker then decrypts the data, this may appear to be cooperative behavior at first glance. In fact, however, the Nash equilibrium in such scenarios often lies with the non-cooperative solution, as the incentive structures encourage both parties to exploit the other – the victim by refusing to pay and the attacker by breaking the promise after receiving the ransom.

Another important aspect of ransomware negotiations is the interplay between signaling and screening. Attackers often try to increase their credibility by releasing part of the data, which can be understood as signaling. Victims, in turn, use screening methods to better assess the intentions and trustworthiness of the attackers. The Nash equilibrium in such scenarios depends heavily on how effective these signals and screening mechanisms are. If the signals are credible and the screening is efficient, the balance can shift towards a more cooperative interaction.

In more complex ransomware cases, mixed strategies can also be used that include both negotiations and technical countermeasures. These strategies increase the costs for the attackers and improve the chances of successful decryption without full ransom payment. The Nash equilibrium in mixed strategies implies that each party strikes a balance between cooperative and non-cooperative tactics that does not allow for further one-sided advantage through deviation.

Ransomware negotiation: optimal strategies and common mistakes

I do not believe that there is “the” optimal strategy. In any case, a well-thought-out negotiation strategy, based on a thorough understanding of the underlying dynamics and taking into account both game theory and practical aspects, is crucial. In any case, companies should take a proactive approach by implementing security measures, reviewing them regularly and training their employees accordingly in order to arm themselves against the ever-changing threats posed by ransomware.

Analysis of attacker investments

It is important to realize that attackers invest in the reliability of their ransomware and in estimating the value of your data. High reliability means that you are more likely to get your data back after paying the ransom.

Strategic counter-offers

The decision on the counter-offer should be made strategically. The optimal amount of the counteroffer depends on the aggressiveness of the attacker. If the attacker’s demand is known, the counteroffer can be adjusted so that it is maximized without provoking an aggressive response.

Avoidance of overpayment

A common mistake is the willingness to pay quickly without assessing the appropriateness of the amount demanded. Game theory models in initial studies show that an excessively high counteroffer not only causes unnecessary costs, but also strengthens the credibility of the attacker to make high demands in the future.

Ransomware negotiation: Lawyer Ferner on the ransomware negotiation

There may not be one single rule of conduct in a ransomware negotiation – but there are at least a few good guidelines!

Strategic planning of negotiations

The use of negotiation specialists is certainly a good choice, which is also confirmed in field reports: Professional negotiators who have experience in dealing with ransomware cases can offer valuable insights into the reliability of specific ransomware strains and often already have an idea of the aggressiveness of the attacker.

Another tactic is to exploit information asymmetry, because although the attacker may know more about the value of your data, you can close and even exploit this information gap by involving experts and specialized negotiation services.

And of course, it must also be emphasized at the end, long-term security investments are necessary.
The long-term investment in security technologies and protocols can not only help prevent future attacks, but also strengthen the negotiating position against attackers by reducing the likelihood of a successful attack.

German Lawyer at Law Firm Ferner Alsdorf
I am a specialist lawyer for criminal law + specialist lawyer for IT law and dedicate myself professionally entirely to criminal defence and IT law, especially software law. Before becoming a lawyer, I was a software developer. I am an author in a renowned commentary on the German Code of Criminal Procedure (StPO) as well as in professional journals.

Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
German Lawyer Jens Ferner (Criminal Defense & IT-Law)