Originally published: September 4, 2025 on Man In The Browser
Interviewer: Sean.
Interviewee: Valéry Rieß-Marchive, editor-in-chief at LeMagIT and ransomware researcher.
Understanding Ransomware Negotiations
What do ransomware negotiations typically involve?
Ransomware negotiations generally involve information about the victim of the attack, starting with its name. That's very sensitive for a victim that hasn't publicly disclosed the attack.
Even if there's no intention to pay, the fact that a conversation is taking place can be misinterpreted. Leaks during the process can undermine the goals of the negotiation.
Additionally, exchanged files — whether they're raw lists of stolen data or encrypted files being tested for decryption — can contain PII or IP, making them highly sensitive.
What are the key risks of leaked negotiations?
The first risk is obvious: an undisclosed cyberattack becomes public. If a ransom had been paid to suppress the news, that intent fails.
Worse, sensitive information shared during negotiation might be exposed, wrecking any planned communication strategy.
How can leaked negotiations impact an organization?
In case of a cyberattack, resilience depends on two pillars: IT and communication.
As shown in a 2022 Bessé/G.P. Goldstein analysis, 'communication is essential to trust'. If communication appears inconsistent or unprofessional — especially in leaked chat logs — it damages trust.
Leaked conversations may also make the victim a target for additional threat actors looking to exploit perceived weakness. It has happened before.
Prevention Strategies
What steps can organizations take to ensure negotiation confidentiality?
First, minimize exposure to the ransom note — especially with employees and customers. But when it's printed or unavoidable, find a way to establish a secure channel to the threat actor.
Second, do not upload ransomware samples to public sandboxes or VirusTotal — at least not until incident response is complete.
And finally, if a payment is made, ask the threat actor to delete the chat, and verify that it's actually gone. Some groups like Akira are known to do this regularly.
What tools can help prevent leaks?
Many ransomware groups operate via web‑based negotiation interfaces. If a chatroom seems compromised, they can open a new one. Details can be exchanged using ephemeral file sharing services or other discreet channels. Some threat actors also accept switching to email, Tox, or Session.
Organizational Best Practices
Should organizations have predefined negotiation protocols?
Absolutely. Just as you'd prepare an incident response plan, you should plan communication protocols for ransomware events. Consider scenarios based on how the ransom note appears, and build processes to keep those conversations confidential.
But remember: the threat actor is not trustworthy. Some, like LockBit 3.0 and DragonForce, routinely publish failed negotiations. And you have no guarantee those chat logs weren’t tampered with.
Legal and Ethical Considerations
How should organizations handle third-party involvement?
That’s a near no-brainer. Incident response firms are usually highly trustworthy. They’re contractually and operationally focused on confidentiality. They also typically restrict access to conversations — even internal technical teams don’t see them.
What are common mistakes in negotiations?
One big mistake: refusing to engage at all. If no one logs in to the attacker’s chatroom, anyone with access to the ransomware sample or note might do it and extract info.
Even if you won’t pay, it’s smart to at least engage, ask for a new chatroom, and get the old one deleted. This risk varies. Some ransomware builds the ransom note using runtime arguments, making it harder for third parties to re-enter negotiations from the sample.
Key Recommendations
What's your key recommendation for organizations facing ransomware negotiation?
Don't do it yourself. Ask law enforcement, your insurer, or a professional incident response firm who should negotiate on your behalf. Victims are rarely in the right headspace.
Ideally, you’ve already defined a strategy and goals before you’re in the middle of a crisis.
The complexities of ransomware negotiations extend far beyond simple payment discussions. Organizations must carefully balance transparency, security, and legal obligations while managing the significant risk of information leakage that could compound their crisis.
Understanding these dynamics is crucial for developing effective incident response strategies that protect both immediate interests and long-term organizational resilience.