Attackers Have Negotiation Playbooks. Why Don’t Defenders?
Before the ransom demand lands, the attacker has read your cyber insurance policy and used it to calibrate the number you'll see in the note. They've pulled your annual revenue from a sales intelligence database to establish their ceiling. They're working from a negotiation script they've run before, possibly with legal counsel available on demand. By the time you open the negotiation chat window, you've been forced into the precise position your counterpart wants you in.
In August 2021, Cisco Talos translated a leaked training manual from the Conti ransomware group and published it in full. The document, sourced from a disgruntled affiliate who posted internal materials to a Russian hacking forum, was a detailed operations guide. Among its instructions: before the encryption payload deploys, exfiltrate data and search it for specific keywords — "cyber," "policy," "insurance," "endorsement," "supplementary," "underwriting," "terms," "bank," and "statements." Find the victim's cyber insurance policy and financial documentation. Use them to set the initial ransom demand.
Analysis of the leaked chat transcripts confirmed a second layer beyond the training materials: standardized negotiation text appearing across multiple victim conversations with only minor variations — a security vendor name swapped here, a date adjusted there. Conti's affiliates arrived at the negotiation with a pricing model built from the victim's own documents and scripts they'd run before.
The Attack Has Reached Smaller Targets
Conti is gone, but the model it perfected is not. RaaS kits are available by subscription starting at $40 per month. The affiliate model removes the upfront cost entirely: operators collect 20-40% of ransom proceeds, and affiliates keep the rest. Commodity tooling, initial-access markets and AI-assisted phishing have all contributed to lowering the skill threshold for targeting. Research tracking active ransomware groups documented 124 distinct groups in 2025 — a 46% increase year-over-year — alongside a 47% surge in attack volume.
This proliferation means the cost of running a campaign against a 200-person manufacturer, a regional law firm, or a mid-sized medical practice has dropped to the point where it delivers ROI. Ransomware's target set has always skewed opportunistic, but the economics now specifically support going smaller.
These targets are not carrying IR retainers. They’re not running tabletop exercises that include ransomware negotiation scenarios. When they get hit, the IT director or the outside MSP is looking at that chat window without a script. And typically, they’re also less resilient: fewer tested backups, less legal support, and less leverage once operations are disrupted.
Professional Negotiation Is a Different Conversation
In May 2020, the Netwalker ransomware group hit the University of California San Francisco and demanded $3 million. UCSF ultimately only paid $1.14 million. Bloomberg obtained the negotiation chat logs.
The negotiation, conducted with professional support, used a specific set of tools: documented financial hardship to constrain the perceived ceiling, mission framing around COVID-19 research to introduce a reputational cost for the attacker, persistent requests for proof of decryptor functionality to test the group's reliability and slow the process, and deliberate timeline management that added cost pressure to the attacker's side as the clock ran.
Each of those moves reflects knowledge of how ransomware groups respond to hardship claims, what kinds of mission arguments have landed before, how to use doubt about payment completion as leverage, and how the attacker's economics change the longer a negotiation runs without resolution.
But successful negotiation requires knowledge — something many of today’s ransomware victims don’t have.
Attackers’ Knowledge-Sharing Continues to Improve
Since the Conti leak established what affiliate negotiation support looked like in 2021, the infrastructure has developed further. The most documented recent example is Qilin.
In mid-2025, Qilin — now among the most active RaaS operations after the disruption or collapse of LockBit, ALPHV, and RansomHub — introduced a “Call Lawyer” feature in its affiliate panel, documented by researchers at S-RM and Cybereason. When an affiliate invokes it during ransom negotiations, the feature connects the affiliate with (alleged) legal counsel supplied by the operator. The lawyer provides a legal assessment of the exfiltrated data, an analysis of which laws and regulations the victim has violated, and an evaluation of the costs of non-payment. The purported legal counsel can also step in to conduct negotiations directly.
The translated Qilin forum post announcing the feature was reported by Security Affairs: “The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings.”
Qilin also provides what it describes as in-house journalists, available to help affiliates craft blog posts designed to pressure victims who are stalling, and automated negotiation tools built into the affiliate panel.
Knowledge Is Gated on the Defenders’ Side
Public ransomware resources have improved, especially around preparation, reporting, containment and recovery. What remains scarce is victim-facing guidance for the negotiation itself: what to say, what not to say, how to interpret attacker behavior, and how to adjust when the first counteroffer fails.
CISA and FBI guidance covers high-level principles: preserve evidence, report to law enforcement, be cautious about payment, explore alternatives. The advice is sound, but it doesn’t address what to say in the chat window when the attacker dismisses the first counteroffer and sets a 48-hour deadline before data publication begins.
Professional negotiators hold the tactical knowledge. They experience across dozens or hundreds of engagements, against specific groups with documented behavior patterns. Coveware's quarterly reports publish aggregate outcomes and market-level statistics, but the methodology that produces those outcomes is held under confidentiality agreements and priced into IR retainers that start well above what most SMB budgets can reach.
The Gap Is Structural
The asymmetry in ransomware negotiation knowledge is the predictable consequence of an incentive structure.
IR firms make money on engagements. The methodology is the product. Sharing it would erode the value of the service. Cyber insurance carriers have mixed and complicated incentives around negotiation guidance — advising policyholders how to negotiate better could reduce paid claims, but it could also constrain their ability to manage their own exposure on high-value policies. Law enforcement recommends against payment without funding the tactical infrastructure that would make that recommendation more actionable for organizations trying to minimize damage. No public agency is tasked with building and maintaining a victim-facing ransomware knowledge base.
Meanwhile, ransomware operators continue to invest in affiliate negotiation capability because it increases successful payment rates and, by extension, operator proceeds. Research and development flows toward the side with the financial return on it.
What Closing the Gap Could Look Like
One meaningful public-interest effort to address this problem is Ransomch.at, a project founded in May 2023 by Valéry Rieß-Marchive, editor-in-chief at LeMagIT, that archives anonymized real-world ransomware negotiation chats from more than 20 threat actor groups. The project was cited in Mikko Hypponen's keynote at RSA Conference 2024.
It’s the closest thing the defender side has to a negotiation knowledge base. It is not, however, a guide. It's an archive of raw negotiation transcripts — useful for a trained analyst with time to read through dozens of conversations and synthesize patterns, but not for an independent hospital IT director.
Most SMBs have probably never heard of it, which raises the question of whether promotion could at least partially close the gap. An ad campaign would get more people to the URL, but it wouldn’t make the resource usable by IT folks who aren’t trained analysts. The translation layer — what the archive reveals about what works, distilled into something actionable for a non-specialist mid-incident — still doesn't exist. Funding the promotion and funding the development are related but different problems.
Part of the challenge is that generic training can only prepare a team for the mechanics of an incident: who decides, who speaks, what gets logged, when counsel is involved and how payment decisions are escalated. It can’t teach how to negotiate under the specific conditions that determine leverage: which group is involved, whether backups are viable, what data was taken, how credible the attacker is, how much operational pressure the victim is under and what current intelligence suggests about the group’s behavior.
The right approach with Akira differs from the right approach with LockBit. What works when you have viable backups doesn't work when you don't. What works with a well-organized group that has reputational incentive to deliver a working decryptor doesn't work with a disorganized affiliate who may not have one.
And professional negotiators bring something no archive can replicate — real-time intelligence about how a specific group is behaving right now, whether they're under law enforcement pressure, how many victims they're actively working, whether they're discounting or holding firm. Historical transcripts don't carry that signal. Training on them builds general familiarity, but it can’t substitute for current intelligence at the moment it matters.
Cyber insurance carriers are an underexplored angle. They have the most direct financial interest in better-negotiated outcomes — a 40% reduction in a ransom payment is money they don't pay out — and they're in ongoing relationships with policyholders before attacks happen. A carrier-published negotiation primer would serve their own interests. Some carriers are beginning to communicate about negotiation intelligence. Whether that could extend to actionable pre-attack guidance for SMB policyholders is worth exploring.
The Ransomware Task Force addressed the ransomware ecosystem comprehensively in its 2021 report, but victim-facing negotiation knowledge wasn't the focus. A working group specifically on the knowledge gap for under-resourced organizations would at least name the problem formally, which would be a start.
IR firms hold aggregate data that doesn't need to stay entirely locked up. Patterns across hundreds of engagements — which arguments have historically moved which types of groups, what mistakes organizations most commonly make in the first 24 hours, etc. — don't provide a map of defender tactics or expose individual clients the way case-specific details would. Whether there's an incentive for anyone to publish that is a different question.
The attacker's side of this problem has been developing for years with clear financial motivation. The defender's side is waiting for someone to decide the problem is worth solving.
Sources
Cisco Talos. "Translated: Talos' insights from the recently leaked Conti ransomware playbook." Talos Intelligence Blog, [2021]. https://blog.talosintelligence.com/conti-leak-translation/
Black Kite. "The Conti Playbook Leak Explained." https://blackkite.com/reports/the-conti-playbook-leak-your-questions-answered
BleepingComputer / Lawrence Abrams. "Conti ransomware prioritizes revenue and cyberinsurance data theft." https://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/
University of Pisa DIFR. "Analyzing ransomware negotiations with CONTI." https://difr.unipi.gr/docs/conti.pdf
[Bloomberg — UCSF negotiation chat logs. Confirm URL before publishing.]
Coveware. Quarterly Ransomware Reports. https://www.coveware.com/ransomware-quarterly-reports
S-RM. "Ransomware in focus: Meet Qilin." https://www.s-rminform.com/latest-thinking/ransomware-in-focus-meet-qilin
Tripwire / Graham Cluley. "Qilin Offers 'Call a Lawyer' Button For Affiliates." https://www.tripwire.com/state-of-security/qilin-offers-call-lawyer-button-affiliates-attempting-extort-ransoms-victims
Security Affairs. "Qilin ransomware gang now offers a 'Call Lawyer' feature to pressure victims." https://securityaffairs.com/179205/breaking-news/qilin-ransomware-gang-now-offers-a-call-lawyer-feature.html
The Register. "Qilin's 'on-call lawyer' capability is fooling no one." https://www.theregister.com/2025/06/20/qilin_ransomware_top_dogs_treat/
Coalition Incident Response. "How Hackers Leverage Insurance Details in Ransomware Attacks." https://www.coalitioninc.com/blog/cyber-insurance/how-hackers-leverage-insurance-details-in-ransomware-attacks
Vectra. "How Ransomware as a Service Helps Attackers Scale." https://www.vectra.ai/topics/ransomware-as-a-service
Ransomch.at / Valéry Rieß-Marchive. https://ransomch.at / https://ransomch.at/about.html