Misconception
“We’ll decide when it happens”
Most organizations have not pre-modeled downtime tolerance, disclosure posture, or recovery timelines. Under pressure, the decision becomes reactive and fragmented.
Research Note · Ransomware Economics
The Negotiation Starts
before you know you’re breached
The “ransomware negotiation” is often framed as a decision made after detonation: restore from backups, negotiate, or rebuild. In modern campaigns, that decision is shaped, sometimes effectively decided, weeks earlier through deliberate leverage-building.
Leverage creation
Disclosure pressure
Downtime economics
Attackers don’t win by encrypting. They win by making every option expensive.
Executive summary
Ransomware is a leverage operation, not a malware event
Organizations often prepare for the visible moment: files encrypting, systems failing, employees locked out. Attackers prepare for the invisible period before that moment, when they can quietly build leverage: establish persistence, steal the right data, sabotage recovery, and identify exactly what the business cannot tolerate. By the time encryption begins, the negotiation is no longer “Should we pay?”, it becomes “Which loss do we choose?”
Reality
Attackers pre-position your worst day
Crews pick timing, pressure points, and operational chokeholds. They aim to trigger maximum disruption when leadership is least able to absorb it.
Outcome
“Pay probability” is engineered
Payment is driven by survivability: how fast you can restore, how confident you are in data scope, and how well you can operate under disclosure pressure.
Attacker model
How leverage is built before encryption
The “negotiation” starts when attackers begin shaping your available options.
1) Persistence that survives panic
Attackers stabilize access through privileged accounts, remote tooling, SaaS app permissions, and token-based footholds. The goal is not stealth forever, it’s durability through containment attempts.
2) Data theft targeted for pressure
Crews don’t need “all the data.” They need the data that changes leadership decisions: regulated records, sensitive customer info, legal correspondence, executive communications, and IP.
3) Recovery is weakened quietly
Backup consoles, credentials, immutability settings, and restoration paths are assessed early. Attackers aim to make recovery slower and less certain, without triggering alarms.
4) Pressure points are mapped
They identify what the business cannot lose: billing systems, scheduling, production lines, customer portals, email, identity providers, and leadership communications.
Defender gap
Why defenders lose optionality early
“We have backups” and “we have EDR” are not strategies if they don’t preserve freedom of action.
Identity is treated as a day-two problem
Ransomware operations are frequently identity-led. If identity is compromised, attackers can re-enter, disable controls, and manipulate response, regardless of endpoint remediation.
Scope uncertainty becomes a weapon
If you cannot quickly answer “What data left?” and “How far did they get?”, leadership will assume the worst. That assumption changes negotiation posture.
Decision authority is unclear under stress
Response often fractures into parallel efforts: IT restoring, security investigating, leadership demanding certainty, legal asking for facts, and communications waiting. Attackers exploit that latency.
Out-of-band communication isn’t ready
When response depends on compromised systems: email, chat, identity, coordination collapses. Lost coordination becomes lost time, and lost time becomes leverage.
Leadership impact
Extortion collapses technical, legal, and reputational risk
In double extortion, restoration ends downtime, but it does not end the crisis.
Disclosure timelines narrow quickly
If data theft is plausible, legal and communications planning must begin early, even before full confirmation, because options shrink as facts emerge and pressure increases.
Leadership becomes the response surface
Attackers apply pressure where it hurts: customers, regulators, partners, and board scrutiny. The “incident” becomes a governance event.
Restoration is not the finish line
Many organizations treat “systems restored” as “incident resolved.” In extortion cases, restoration is the midpoint: disclosure risk and trust rebuilding follow.
Program direction
Reducing “pay probability” before it matters
The best negotiation posture is having credible, rehearsed alternatives when pressure arrives.
Priority
Instrument identity and control planes
Detect successful misuse: role changes, app consent, token anomalies, policy edits, and abnormal access patterns; not just failed logins.
Priority
Protect recovery like critical infrastructure
Backup systems, credentials, and immutability controls are high-value targets. If they fall, negotiation posture collapses.
Priority
Pre-model downtime and disclosure decisions
Define what “unacceptable downtime” means for each critical function, and establish decision authority and escalation paths before an incident.
Priority
Rehearse the first hour
The most valuable tabletop is not “what do we do?”, it’s “who decides, on what channel, with what thresholds, and how fast?”