- NordStellar finds that many ransomware negotiations go unpaid, usually with high discounts (median 57%, max 96.2%)
- Attackers used various tactics: bundling of “services”, offering fake security audits, proof of data, press threats, GDPR violations and price manipulation
- Leaking stolen files remained the dominant extortion tactic (76.8%), but deadlines were often bluffs designed to pressure victims into paying
While threats to leak stolen data remain the most effective bargaining strategy in ransomware attacks, it’s not the only one, as new research from NordStellar has found that cybercriminals employ a wide range of tactics, from significant discounts to providing “security audits and reports” to victims.
The company recently analyzed 246 leaked conversations between ransomware groups and victim companies that took place between 2020 and 2026.
A quarter (25.6%) ended up paying, but the vast majority of them did not pay the tender price. The median discount in these payments was 57%, while the highest recorded discount was 96.2%.
Total services, upselling and more
The report found that crooks often start their negotiation with a sales tactic – respond quickly and the price will immediately drop 25-67%. Stalls and the price goes up.
Then they will divide their “services”: decrypt the files as one and delete the stolen documents as the other. In about 16% of cases, the attackers offered victims “all services included” bundle packages, while in 21% they tried to sell these services separately.
“Although the promise of data deletion appears frequently, there is no way for companies to actually verify deletion,” said Mantas Sabeckis, senior threat intelligence researcher at Nord Security.
“I would advise companies to tread carefully and take these statements with a large grain of salt – ransomware actors are skilled manipulators.”
Funnily enough, in 7.3% of conversations, the attackers offered their victims a “security audit/report” as if they were cyber security professionals, not low-level criminals.
Threatening to leak the stolen files is by far the most common tactic used in 76.8% of all conversations analyzed. Other common tactics include proof of data (55.3%), special price offers (45.5%) or threats to go to the press (43.5%). NordStellar has also seen threats to breach GDPR compliance (17.9%) and threats to increase prices (7.3%).
“It’s important to note that the attacker’s deadline is almost never real. They want the money – they don’t want to walk away on the first day,” Sabeckis concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
