Playbooks
T1486Ransomware Negotiation and Decision Framework
A structured decision framework for ransomware incidents — covering when to pay, how to negotiate, what legal and regulatory obligations apply, and the technical steps for recovery without paying.
View on Graph
What This Framework Covers
- This is not a general ransomware response playbook — see the ransomware response playbook for technical containment, eradication, and recovery
- This framework covers the decision layer that sits above technical response: who decides whether to pay, how to negotiate if payment is authorized, and what regulatory obligations apply either way
- The decision framework applies to organizations that have experienced ransomware with data encryption, data exfiltration (double extortion), or both (triple extortion with DDoS threat)
- MITRE ATT&CK maps ransomware impacts to
T1486(Data Encrypted for Impact)
The Core Decision Tree
Is critical data encrypted and unrecoverable from backup?
├── YES → CAN YOU RESTORE FROM BACKUP?
│ ├── YES → Restore from backup. Do not pay.
│ └── NO → Decision: is the data critical to operations/survival?
│ ├── YES → Consider negotiation path
│ └── NO → Rebuild from scratch. Do not pay.
└── NO → Was data exfiltrated before encryption?
├── YES → Decision: is the data sensitive enough to cause
│ regulatory/business harm if published?
│ ├── YES → Consider negotiation path
│ └── NO → Do not pay. Manage public disclosure.
└── NO → (Encryption only) Restore from backup. Do not pay.Decision Factors — When to Consider Paying
| Factor | Pay Is More Justified | Pay Is Less Justified |
|---|---|---|
| Backup viability | Backups encrypted/unavailable or weeks stale | Clean, verified, offline backups available |
| Data criticality | Patient data, PII of millions, trade secrets | Non-critical operational data, public information |
| Decryption viability | Known group with reliable decryptor (confirmed via third party) | Unknown group, first-time ransomware, no decryption track record |
| Exfiltration | Highly sensitive data exfiltrated (medical records, IP, classified) | Non-sensitive data, or data already public |
| Regulatory exposure | GDPR/HIPAA/PCI fines for data loss exceed ransom demand | Low regulatory exposure for data loss |
| Business survival | No recovery path without decryption — business will fail | Business can operate without the encrypted data |
The Negotiation Lifecycle
If the decision is made to negotiate, follow this structured process. Negotiation with ransomware groups is high-stakes and should involve professionals where possible.
Phase 1: Preparation (Before Contact)
- Identify the ransomware group — use threat intelligence tools, ransom note analysis, file extension patterns, and TTP matching to determine which group is responsible
- Research the group — collect their negotiation history, typical payment amounts, decryptor reliability, and past behavior when demands are not met
- Set a budget — determine the maximum amount the organization is willing to pay (this is your walk-away number)
- Establish legal and insurance contacts — confirm your cyber insurance policy covers ransom payments, and confirm legal counsel is comfortable with payment under applicable laws (OFAC sanctions, UK Bribery Act, EU sanctions)
- Assemble the negotiation team — designate a single negotiator, a technical advisor, and a legal observer. Do not change negotiators mid-stream.
Ransomware group lookup:
| Group | Typical Initial Demand | Decryptor Reliability | Negotiation Openness |
|---|---|---|---|
| LockBit | $500K–$5M | High (verified) | Moderate — negotiates down 20-50% |
| BlackCat/ALPHV | $1M–$10M | High (verified) | High — multiple reported successful negotiations |
| Clop/Cl0p | $2M–$50M | High (verified) | Low — fixed demands, less negotiation |
| Black Basta | $500K–$3M | High (verified) | Moderate |
| Play | $500K–$2M | Moderate | High |
| Akira | $200K–$1M | Moderate | High — known to negotiate significantly |
| Royal | $1M–$5M | Moderate | Low — aggressive tactics |
Phase 2: Initial Contact
- Use the communication channel specified in the ransom note — do not use alternative channels
- Establish a negotiation identity — use a generic email or Tox ID. Do not use personal/professional identifiable accounts
- Send initial communication — acknowledge receipt of the demand. Do not accept or reject yet
- Request proof of decryption — ask the attacker to decrypt a single test file to prove they have a working decryptor. This is a standard request and most groups comply quickly
- Request proof of data deletion — ask for proof that exfiltrated data has been deleted. Most groups cannot provide reliable proof, but the request establishes your position
Sample initial message:
We have received your demand. Before we can discuss payment, we need:
1. Decryption of [test_file_hash] as proof of decryption capability
2. Confirmation of which data was exfiltrated (file listing or sample)
3. Proof that exfiltrated data can be deleted upon payment
We will review your response with our decision team.Phase 3: Verification
- Verify the decryptor — decrypt the test file. If it succeeds, verify the decrypted content matches the original
- Document exfiltrated files — if the attacker provides a file listing, cross-reference against known sensitive data
- Assess decryptor reliability — test decryptor on a small set of non-critical files. Full encryption can take days for large systems
- Update the decision — based on what you learned in verification, confirm or update the original decision to negotiate
Phase 4: Negotiation
| Tactic | How It Works | Effectiveness |
|---|---|---|
| Provide budget justification | ”Our organization has $X available for incident response — that is our maximum for decryption” | Moderate — groups understand organizations have limits |
| Counter with 20-30% of initial demand | Groups expect this and typically counter with 40-60% of their original | Standard practice |
| Cite industry/financial hardship | ”We are a [small/municipal/healthcare] organization” | Groups vary — some target healthcare specifically |
| Request extended timeline | ”We need 5-7 business days to arrange payment” | Usually granted — gives time to verify backups or alternative recovery |
| Bundle services | ”We will pay $X, and we will not report this to authorities” | Groups value not being reported — use this cautiously |
| Walk away | ”We cannot pay. We will manage without the data” | Only if you have verified backups or can operate without the data |
Negotiation timeline expectations:
Day 1: Initial demand received
Day 1-2: Preparation and initial contact
Day 2-3: Verification (test decryptor, exfiltrated file listing)
Day 3-7: Negotiation (2-4 rounds of counter-offers)
Day 7-14: Payment or walk-away decisionPhase 5: Payment Decision
- Final decision — confirm with legal, insurance, and executive team
- If paying: use cryptocurrency per the attacker’s instructions. Use a reputable OTC desk or cryptocurrency broker familiar with ransom payments. Retain all transaction records for insurance claims and legal documentation
- If not paying: proceed with Phase 6 (Recovery Without Payment)
- Document the payment decision — who was involved, what factors were considered, what the decision was. This is critical for post-incident legal and regulatory review
Phase 6: Recovery Without Payment
If the decision is not to pay, recovery relies on backup restoration, system rebuilding, or alternative decryption:
| Recovery Path | Timeline | Success Rate |
|---|---|---|
| Backup restoration | 1-7 days (varies by volume) | High (if verified offline backups exist) |
| System rebuild | 1-4 weeks | High (no data dependency) |
| Alternative decryptor | 1-8 weeks (if available) | Low (most decryptors are group-specific) |
| Data reconstruction | Varies (from logs, databases, manual entry) | Low to moderate |
| Data exfiltration management | Ongoing | N/A — manage disclosure obligations |
Legal and Regulatory Considerations
| Obligation | Applies When | Action Required |
|---|---|---|
| OFAC sanctions | Ransomware group is sanctioned (e.g., Evil Corp, LockBit) | Payment to sanctioned entities is illegal. Verify group against OFAC SDN list. |
| GDPR breach notification | EU/EEA data subjects affected | Notify supervisory authority within 72 hours |
| HIPAA breach notification | PHI was encrypted or exfiltrated | Notify HHS, affected individuals, and potentially media |
| SEC disclosure | Public company, material impact | 8-K filing within 4 business days of materiality determination |
| State data breach laws | Any US state with PII exfiltration | Notify state AG and affected individuals (timing varies by state) |
| Cyber insurance notification | Active cyber insurance policy | Notify insurer within policy-specified timeframe (some require notification within 24 hours) |
Key Principle — Decouple Legal from Technical Response
Legal counsel must be involved in the decision to pay, but they should not slow down the technical containment and recovery process. Establish communication channels between legal and IR teams at the beginning of the incident.
Post-Incident Review
| Review Topic | Questions to Answer |
|---|---|
| Decision quality | Was the pay/no-pay decision correct given the information available at the time? |
| Negotiation effectiveness | Did negotiation reduce the demanded amount? Was the decryptor reliable? |
| Backup viability | Were backups available and recoverable? Why or why not? |
| Detection gaps | How did the attacker gain access? Why was it not detected earlier? |
| Process improvement | What would we change in our ransomware playbook? |
Related
- Ransomware — detection and response for T1486 techniques
- Ransomware Fundamentals — covers the ransomware fundamentals concepts
- Ransomware Response — detection and response for T1486 techniques
- Data Exfiltration Detection — detection and response for T1048, T1052 techniques
- Zero Day & CVE Response — detection and response for T1588.006 techniques