Ransom negotiation has matured into a small but real profession. The firms that do it well, Coveware, GroupSense, Kivu, and a handful of others, operate with a playbook honed across thousands of incidents. The firms that do it badly hand operators what they want and call it a strategy. Here’s what the good negotiators actually do, drawn from the public reporting and conversations with practitioners.
The decision before the conversation
The most important negotiation move is made before the first message: deciding whether to engage at all. Engagement signals to the operator that payment is on the table, which raises the demand. If the answer is “we will not pay under any circumstances,” the negotiator’s job is to communicate that early and confidently. If the answer is “we might pay if the deal is right,” the strategy is different.
The decision depends on factors the IT team usually doesn’t see: what data was actually exfiltrated, what the regulatory exposure looks like, whether the backups are recoverable in time to keep the business operating, what the legal team thinks about OFAC compliance. Get those four answers before sending message one.
The opening
Professional negotiators open with low intensity, late time pressure, and information asymmetry. The operator’s first demand is a starting bid; treat it as one. The conversation that follows is partly about price discovery and partly about reading the operator, how organised are they, what’s their cadence, are they running a real business or panicking?
“Proof of life”, a small free decryption of representative files plus a sample of exfiltrated data, is requested before any payment discussion. Real operators provide it. Operators who can’t provide proof either don’t have what they claim or have already lost their leverage.
What experienced negotiators bring down
The headline metric is the discount. Coveware’s quarterly reports for years have shown that retained negotiators bring the final payment to roughly 30-50% of the initial demand on average. That’s a real economic outcome, but it’s not the only one. They also bring down secondary demands, structure the payment timing to match the victim’s cash position, and document the conversation for the inevitable insurance and regulatory follow-ups.
Equally important: experienced negotiators avoid the catastrophic mistakes amateurs make. Naming the company in early messages. Acknowledging specific stolen data the operator hadn’t yet leveraged. Agreeing to OFAC-sanctioned payment structures. Each of these can turn a manageable incident into a regulatory crisis.
The post-payment phase
If payment happens, the negotiation isn’t over. The operator promises deletion of exfiltrated data; the operator does not always follow through. The negotiator’s role through this phase includes obtaining a written deletion attestation, monitoring the operator’s leak site for republication, and verifying, to the extent possible, that no second extortion is being planned with the same data.
About 5-10% of paid incidents in 2025 ended with the operator publishing or selling the data anyway. The rate varies by operator. Some, Cl0p, BlackBasta historically, have a reputation for honouring deletion. Some don’t.
The ethical line
Paying funds organised crime. Some of the operators are sanctioned. Some of the funds reach state-aligned actors. None of those facts disappear because the payment was a business decision. Mature organisations make peace with this by being honest about it, not pretending payment is morally neutral, while accepting it as occasionally necessary.
The negotiation is a tool. Like all tools it can be used well or badly. Used well, it gets the organisation through the worst week of its operational year with the least possible damage. Used badly, it makes everything worse. The difference is preparation and competence.