A ransomware attack doesn’t always arrive with alarms going off.
Sometimes it looks like a normal Monday until files refuse to open. A production database stops answering. Someone finds the ransom note on a system nobody can afford to lose. Then there’s a payment demand, a countdown, and a room full of people realizing the problem has already moved beyond IT.
In sensitive industries, that shift happens fast. Work stops. Internal teams get buried. Customers start calling. By the end of the first day, suppliers, insurers, lawyers, and regulators may already be part of the conversation.
Industry trackers logged 2,283 ransomware incidents worldwide in the first quarter of 2026, just under the record set in late 2025. Not exactly comforting. These groups aren’t lone hackers guessing their way through an attack. They divide the work, follow playbooks, pressure victims, and in some cases operate with a discipline that feels uncomfortably corporate.
What leaked ransomware negotiations show
Once the ransom note appears, even basic decisions get harder. Shut systems down? Call counsel? Tell customers? Speak to the attackers? Wait?
“The first key step is not to panic: every minute of confusion is a minute of downtime. The clock starts now,” says NordStellar cybersecurity expert Vakaris Noreika.
NordStellar’s recent Ransomware Negotiation Report looks at 246 leaked negotiation transcripts from 2020 to 2026. The chats show how extortion groups push victims, where companies tend to lose control early, and what can still buy time after the attackers are already inside.
One thing often gets misunderstood: opening a negotiation channel isn’t the same as agreeing to pay.
Used carefully, that channel gives incident response teams room to breathe. They can check backups, trace the intrusion, test claims about stolen data, and see whether the criminals actually have what they say they have.
The first hour can make things worse
When a company hasn’t prepared for ransomware, the first instinct is usually blunt. Turn things off. Cut communications. Get control back.
It’s understandable. It can also make the investigation harder.
After a serious accident, you don’t move the evidence around before investigators arrive. Ransomware has the same problem. Act too quickly in the wrong direction and you may destroy the traces needed to understand what happened.
A few mistakes show up again and again.
Turning servers off too fast. Volatile memory may still hold temporary encryption keys, active processes, command-and-control addresses, or other evidence investigators need.
Going quiet for days. Attackers may assume backups are being restored or that the company plans to ignore them. That’s when they may leak data, threaten the company publicly, or start contacting customers directly.
Mentioning insurance or law enforcement too early. If the group learns there’s a cyber insurance policy, the demand can climb. If they think law enforcement is involved, they may shorten the deadline or publish data sooner.
In many cases, isolating affected systems at the network level is a better first move than simply powering them down. Stop the spread, but preserve the evidence. Give the specialists something to work with.
Running the response
After the first wave of panic, the incident has to be run as a business crisis, not just an IT outage.
Ransomware hits continuity, legal exposure, regulatory reporting, customer communications, and reputation. Leaving all of that on a system administrator isn’t fair. It usually doesn’t work either.
Internal teams know the infrastructure. They may not know how professional extortion groups behave once negotiations begin. External incident response specialists and cybersecurity counsel should come in early, while technical staff focus on diagnosis, backups, containment, and clean recovery.
And the attackers’ claims need to be tested.
Double extortion is common now: criminals encrypt files and threaten to publish stolen data. But exaggeration is part of the script. Sometimes the stolen “database” is a few old files. Sometimes the screenshots are real. Decisions need proof, not panic.
A company can ask for file lists or samples: directory screenshots, document names, or files that could only have come from compromised systems.
It can also request a decryption test using two or three small, non-sensitive files. Forensic teams should compare any samples against outbound traffic and the known incident timeline.
Facts lower the temperature. If attackers can’t prove they stole sensitive data, the company has more room to move. If they can, legal, technical, and communications teams can work from evidence instead of fear.
Talking can buy time
The leaked transcripts show how heavily ransomware groups depend on pressure. In 41.9% of the cases NordStellar studied, attackers used deadlines to force quick decisions. In 45.5%, they offered temporary discounts, often before outside advisers or response teams had time to get involved.
Talking still isn’t surrender.
Only 25.6% of the analyzed negotiations ended in payment. In the other 74.4%, the communication channel mostly bought time while the company worked to regain control.
That time matters. Teams may still be checking whether offline backups are intact. They may need to rebuild clean servers in isolated environments, look for persistence mechanisms in database replicas, or confirm whether regulated personal data, including GDPR-covered data, was affected.
The communications side is moving too: customers, partners, insurers, regulators. Say too much too early and you can create confusion. Say too little and you may underreport.
If payment really is the only way to avoid operational collapse, negotiation can still reduce the damage. NordStellar‘s analysis found an average discount of 57% after negotiation. The first number in a ransom note is rarely the real floor.
Acting before the ransom note appears
By the time a company is reading a ransom note in a Tor chat, the attackers have already set most of the terms.
The earlier fight often happens outside the perimeter. Leaked credentials. Exposed access points. Employee email addresses in stealer logs. Supplier accounts for sale. Company data circulating in places security teams don’t normally watch.
NordStellar focuses on that earlier stage. Built by Nord Security, it gives security, IT, risk, and compliance teams a view of their company’s external digital exposure before attackers can turn it into access.
Dark web and leak-channel monitoring
NordStellar watches criminal forums, exposed code repositories, underground marketplaces, and leak channels where corporate credentials or sensitive company information may surface.
It won’t replace internal controls. It shows what may already be visible from the outside.
Early detection of compromised access
If an employee’s credentials or a supplier login appears for sale, the response can start before the account is used.
Revoke access. Force a password reset. Review the affected device. Check whether the same exposure appears anywhere else.
It’s the difference between finding a copied key on the street and waiting until someone tries it at the front door.
Risk alerts your team can use
NordStellar turns large volumes of underground data into prioritized alerts tied to business risk. The goal isn’t to collect every possible signal. It’s to know which exposures need attention first, especially the ones that could affect operations, brand trust, or sensitive assets.
The best ransomware negotiation is the one your company never has to enter. NordStellar‘s full report is available on its official website, along with guidance on preparing your infrastructure before a countdown timer appears on-screen.
