- NordStellar finds many ransomware negotiations go unpaid, usually at steep discounts (median 57%, max 96.2%)
- Attackers used varied tactics: bundling “services,” offering fake security audits, proof of data, press threats, GDPR violations, and price manipulation
- Leaking stolen files remained the dominant pressure tactic (76.8%), but deadlines were often bluffs designed to push victims into paying
While threatening to leak stolen data is still the most effective negotiation strategy in ransomware attacks, it’s not the only one, as new research from NordStellar has found cybercriminals employ a whole range of tactics, from significant discounts, to providing “security audits and reports” to the victims.
The company recently analyzed 246 leaked conversations between ransomware groups and victim companies that took place between 2020 and 2026.
A quarter (25.6%) ended up paying, but the vast majority of those did not pay the asking price. The median discount in those payments was 57%, while the highest recorded discount was 96.2%.
Bundled services, upselling, and more
The report found crooks often start their negotiation with a sales tactic - respond quickly, and the price drops 25-67% immediately. Stall, and the price rises.
Then, they will split their “services”: decrypting the files being one and deleting the stolen documents the other. In around 16% of cases, the attackers offered victims “all services included” bundle packages, while in 21%, they tried to sell these services separately.
“Even though the promise of data deletion appears often, there’s no way for companies to actually verify deletion,” said Mantas Sabeckis, a senior threat intelligence researcher at Nord Security.
“I’d advise companies to tread carefully and take these statements with a huge grain of salt — ransomware actors are skilled manipulators.”
Funnily enough, in 7.3% of the conversations, the attackers offered their victims a “security audit/report”, as if they were cybersecurity professionals, not lowly criminals.
Threatening to leak the stolen files is by far the most common tactic, used in 76.8% of all analyzed conversations. Other common tactics include providing proof of data (55.3%), special price offers (45.5%) or threatening to go to the press (43.5%). NordStellar has also seen threats of GDPR compliance violations (17.9%) and threats of increasing prices (7.3%).
“It’s important to note that the attacker’s deadline is almost never real. They want the money — they won’t walk away on the first day,” Sabeckis concluded.
