When ransomware hits, panic spreads fast. Systems shut down, data is encrypted, and an anonymous message appears demanding payment in cryptocurrency. For many victims, that moment is both shocking and surreal. Somewhere on the other side of the world, a criminal group now controls access to their business.

For Andrius Liepinaitis, Senior Incident Response Manager at Kudelski Security, this situation is familiar territory. In his recent conversation with Valery Rieß-Marchive, Editor-in-Chief at LeMagIT, Andrius described what really happens when organizations face the hardest decision in cybersecurity: whether or not to negotiate with cybercriminals.

“Our goal is always to help clients restore safely and quickly,” Andrius said. “But when backups are gone, and data is critical, we may have to speak with the attackers.‍

What follows is a look behind the scenes of ransomware negotiations and the lessons learned from real-world incidents.

The Human Side of a Cybercrime

Ransomware is not just a technical issue; it is a human confrontation. Victims are often under immense pressure, with operations frozen, employees unable to work, and customers demanding answers. The stakes can be existential.

“The difference between success and failure often comes down to leadership,” Andrius explained. “You need someone calm who can make clear decisions and avoid the blame game.”

That sense of composure is vital because negotiations can take unexpected turns. Attackers are not faceless bots. They are humans, sometimes disciplined and organized, sometimes erratic or even remorseful.

When Criminals Show “Ethics”

In one case Andrius recalled, a client received an unexpected email during an active negotiation. It came from a ProtonMail address claiming to have the stolen data and offering to sell it back for a smaller ransom. The Kudelski Security team challenged the sender to prove ownership. To their surprise, the attacker replied with genuine samples of the client’s stolen data.

When Kudelski Security confronted the original ransomware group, they admitted that a rogue affiliate within their network had tried to bypass them. “They conducted their own internal investigation,” Andrius said. “They apologized and even offered the decryption tool for free. It showed they cared about their ‘brand reputation.’”

That sounds absurd, but it reveals an uncomfortable truth: the ransomware ecosystem is an industry in itself, complete with internal hierarchies, reputations, and codes of conduct.

Modern reports describe many ransomware operations as structured, profit-oriented enterprises rather than lone hackers working in basements. In 2025, for example, analysts characterised several gangs as “multi-million-pound operations,” showing that this is organized crime at industrial scale.

Why Negotiations Are Risky

For organizations without experience, engaging with threat actors directly can be dangerous. Every message, every word can influence the outcome. Mistakes can escalate the situation or lead to higher ransom demands.

Andrius warned that victims sometimes make things worse by trying to handle negotiations themselves. “Victims upload ransom notes to VirusTotal or public forums, not realizing that it makes the chat link visible to others,” he said. “Researchers or even trolls can join the conversation and provoke the threat actors. That can ruin the negotiation entirely.”

The U.S. Treasury Department also reminds companies that paying ransoms to sanctioned entities can breach financial regulations. Without expert guidance, an organization could inadvertently violate sanctions or anti-money-laundering laws.

That is why Kudelski Security treats negotiation as part of a broader incident response strategy. The goal is not simply to talk to criminals but to control the situation, minimize risk, gather intelligence, and protect evidence for potential law enforcement engagement.

Understanding the Attacker’s Playbook

Ransomware groups are not all alike. Some, such as LockBit or ALPHV (BlackCat), operate sophisticated affiliate programs, recruiting partners to breach networks and share profits. Others are smaller operations with limited skills and inconsistent communication.

This inconsistency means every negotiation is different. Andrius described cases where organized groups maintained professional communication and adhered to agreed timelines, while others disappeared for days. “We once had a group go silent for nearly a week,” he said. “When they came back, they apologized and said they were ‘on vacation.’ It sounds ridiculous, but it happens.”

Understanding the behavior, language, and motives of specific threat groups helps negotiators anticipate their tactics and choose the right communication approach. It also allows IR teams to verify whether an attacker actually possesses the data they claim to have, which Andrius’s team always tests before considering any payment discussion.

Should Companies Ever Pay?

The question of whether to pay a ransom remains one of the most controversial in cybersecurity. Governments and law enforcement agencies consistently advise against it. The U.S. Cybersecurity and Infrastructure Security Agency and the UK’s National Cyber Security Centre both discourage payment, arguing it fuels the criminal economy and offers no guarantee of recovery.

However, in practice, some victims have no viable alternative. When all backups are destroyed, operations are halted, and sensitive data is at risk of public release, business leaders face an agonizing decision.

Kudelski Security’s role is to provide clarity, not judgment. “We work with the client to understand the risks, the options, and the implications,” Andrius said. “Sometimes that includes negotiation; sometimes it means focusing entirely on restoration.”

According to SC Magazine UK’s Insight, the share of victims paying ransoms has fallen as more organisations harden backup strategies and engage professional incident response teams. The report adds that earlier containment and expert guidance help cut downtime and reduce overall costs, reinforcing the value of preparation and expert support.

Lessons for Business Leaders

From Andrius’s experience, a few lessons stand out for executives and security leaders preparing for this type of crisis:

1. Do not negotiate alone. Always involve professional incident responders with experience in ransomware communications.
2. Avoid public disclosure of ransom materials. Never upload ransom notes or negotiation chat links to public sites.
3. Verify before you trust. Threat actors sometimes bluff. Always demand proof of data possession before engaging.
4. Understand the legal landscape. Payments may breach sanctions or data-protection laws in certain jurisdictions.
5. Prepare before you are attacked. Establish an incident response retainer, ensure offline backups, and rehearse crisis procedures.

These steps cannot guarantee immunity, but they can drastically reduce risk, cost, and downtime when the unthinkable happens.

From Crisis to Control

Negotiating with cybercriminals is never a sign of weakness. It is a tactical decision made under extraordinary pressure. The right strategy can buy time, protect critical assets, and prevent further harm.

As Andrius explained in the webinar, the best outcomes occur when everyone stays calm and focused. “We handle these cases every day,” he said. “The key is to keep a clear head, manage the process carefully, and always think three steps ahead.”

Ransomware may continue to evolve, but so do defenders. With preparation, expertise, and the right partners, organizations can transform chaos into control.

Get Expert Help When It Matters Most

If your organization faces a ransomware incident, every minute matters. Work with specialists who have managed negotiations, restored data, and guided hundreds of businesses through complex recovery.

Learn how Kudelski Security’s Incident Response and Digital Forensics team helps clients assess risk, manage negotiations, and recover securely.