- NordStellar finds that many ransomware negotiations remain unpaid, usually at deep discounts (median 57%, maximum 96.2%)
- The attackers used varied tactics: bundling “services”, offering fake security audits, data proofs, press threats, GDPR violations and price manipulation.
- Leaking stolen files remains the dominant means of pressure (76.8%), but delays are often bluffs aimed at pushing victims to pay.
While threatening to release stolen data remains the most effective negotiation strategy in ransomware attacks, it is not the only one, as a new study from NordStellar found that cybercriminals employ a range of tactics, from deep discounts to providing “security audits and reports” to victims.
The company recently analyzed 246 leaked conversations between ransomware groups and victim companies that took place between 2020 and 2026.
A quarter (25.6%) ended up paying, but the vast majority did not pay the asking price. The median discount on these payments was 57%, while the highest recorded discount was 96.2%.
Bundled services, upsells and more
The report reveals that scammers often begin their negotiations with a sales tactic: react quickly and the price immediately drops by 25 to 67 percent. Pick up, and the price goes up.
Then they will divide their “services”: file decryption in one and deletion of stolen documents in the other. In approximately 16% of cases, attackers offered victims “all-inclusive” packages, while in 21% they attempted to sell these services separately.
“Even though the promise of data deletion appears often, companies have no way to actually verify the deletion,” said Mantas Sabeckis, senior threat intelligence researcher at Nord Security.
“I would advise companies to exercise caution and take these statements with a huge grain of salt: ransomware perpetrators are skilled manipulators.”
Interestingly, in 7.3% of conversations, attackers offered their victims a “security audit/report,” as if they were cybersecurity professionals and not just criminals.
Threatening to release stolen files is by far the most common tactic, used in 76.8% of all conversations analyzed. Other common tactics include providing proof of data (55.3%), special pricing offers (45.5%), or threatening to go to the press (43.5%). NordStellar also found threats of GDPR compliance violations (17.9%) and threats of price increases (7.3%).
“It is important to note that the deadline set by the attacker is almost never real. They want money, they will not leave on day one,” concluded Sabeckis.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
