A global surge in ransomware attacks has driven the rise of specialist negotiators who are skilled at buying time, gathering intelligence and cutting deals with hackers.
Professional ransom negotiators have become a booming part of the cyber security industry as businesses seek help for high-stake talks with criminal gangs.
Large cyber security groups such as Palo Alto Networks and Sophos have recorded an increase in demand for their ransom negotiators, according to people familiar with the matter, amid a surge in high-profile cyber attacks on large companies around the world.
British retailers Marks and Spencer and Harrods were hit by hackers last year, as well as carmaker Jaguar Land Rover, with the latter losing more than £260mn.
Dan Saunders, director of incident response EMEA at Quorum Cyber, said that negotiators were crucial in helping companies devise a strategy by obtaining information that helped executives make an informed decision.
“[The objectives are:] First: buy time; second, inform decisions; third, [gather] . . . intelligence,” he added, referring to attempts to identify the criminals behind the attack. “Just because you’re engaging [with them] doesn’t mean you’re going to pay.”
Cyber ransom negotiators deploy tactics such as pretending to be an ignorant low-level IT worker, as well as slowing down “the tempo” of the negotiations by sending just one or two messages a day to the hackers.
“It’s more of a delicate dance than a negotiation,” said one ransom negotiator working at Sophos who did not want to be named. “If you step on toes or get it wrong, you could cause your client serious harm.”
The negotiator noted that the first client meeting was typically “the sky is falling” phase. “They’re running around like chickens with their heads cut off; they don’t know which way is up because they’ve just been hacked.”
Negotiations can last from three days to three weeks, and are conducted over dark web portals, emails or occasionally TOX.chat — an online platform that offers end-to-end encryption services.
Most cyber criminals demand a ransom that is about 1 to 2 per cent of the known revenue of the company, according to Sophos. The request for payment not only gives negotiators the chance to reduce the price but also track IP addresses and cryptocurrency wallets to work out who they are dealing with.
Many negotiators, such as Quorum Cyber’s Saunders, come from a law enforcement background, adapting the techniques they used in their previous careers. Others have financial backgrounds, with experience in negotiations involving large sums of money.
But talks are frequently difficult because cyber criminals are often young, displaying “immature” behaviour and using “vulgar” language, according to Digital Mint’s Don Wyper.
“I joke that in my mind’s eye these are neck-bearded basement dwellers. But the truth is . . . a lot are very young teenagers or maybe in their early twenties.”
Wyper noted that he once had a hacker send a cake to a client with a thank-you note after being paid.
Ensuring companies have the full picture before tackling the question of whether to pay is a crucial task for negotiators.
Experts warn that legal advice on whether payment would breach international sanctions, such as funding terrorism, must be considered before executives agree to make any payment.
“Cybersecurity regulation is tightening globally, driven by rising geopolitical tension,” Jonathan Kewley, partner and co-chair of the global tech group at Clifford Chance, said.
“Preparation and planning are vital in the immediate aftermath of a cyber attack, ensuring next steps follow sanctions protocols, which are a minefield,” he added.
If a company decides to go ahead and pay a ransom, the negotiator will either facilitate a payment themselves or contract a payment specialist — such as Digital Mint or Quorum Cyber — to do it on their behalf.
The payments are typically made in cryptocurrency, usually bitcoin, with the payment facilitator either having a “float” of available funds or established links to exchanges where it can be easily bought.
But cyber security experts warn of one crucial caveat: paying criminals does not guarantee they will honour their word.
“There is always the risk of them not adhering to the terms of the agreement and they are not bound by the same legal terms and potential for civil or regulatory penalties that a regular organisation would be,” Mark Lance of the cyber security adviser GuidePoint Security said.
This concern has meant the number of companies ultimately deciding to pay their attackers is falling, a trend that experts credited to the growing use of professional negotiators and an increase in precautionary measures such as backing-up data.
In 2025, just less than half of all cyber attacks involved a ransom payment, down from 56 per cent in 2024, according to Sophos’s “state of ransomware” report.
“You’re buying something where there is no guarantee [you get what you want] so every company has to make an assessment,” John Wood, a director at Palo Alto Networks, said.
“More often, companies are saying: ‘This just isn’t worth the money or bang for our buck.’”