Professional negotiations with cybercriminals can sharply lower the ransom requested in ransomware attacks. This is according to incident response data in the Arctic Wolf 2026 Threat Report.
Negotiations with ransomware groups lead to an average reduction of 67 percent in the demanded ransom. When organizations that ultimately do not pay are also included, financial savings rise to 94 percent of the original demand. This is shown by Arctic Wolf data on handled incident response cases.
Pay the ransom?
Arctic Wolf advises organizations not to pay ransoms. However, the final decision always rests with the victim. When companies do proceed with payment, the report states that professional guidance can significantly limit the final amount. According to the research, organizations that negotiate themselves or respond without support more often pay a larger portion of the original demand.
There are few official figures on ransomware payments. Many organizations do not make such payments public. Independent studies suggest that approximately 30 percent of victims pay the full amount demanded. Furthermore, a British study shows that 18 to 20 percent of victims pay even more than the original demand on average, partly due to costs for purchasing and transferring cryptocurrency.
Recently, an Antwerp school and the Dutch provider Odido were hit by a cyberattack. Both organizations ultimately refused to pay the ransom.
Negotiations require expertise
According to Arctic Wolf, negotiating with ransomware groups requires specific expertise. Analysts first investigate which group is behind the attack. In doing so, they look at previous incidents, the group’s reputation, and their willingness to lower the demanded amount.
Legal factors also play a role. If an attack is found to be linked to a sanctioned regime or a terrorist organization, payment is legally prohibited. In such cases, negotiations stop and the focus shifts entirely to system recovery.
Specialists also analyze whether data has actually been stolen. In approximately 98 percent of ransomware attacks, attackers take data with them. Victims then often pay not to decrypt systems, but to prevent data from being made public.
Additional risks with ransomware groups
Even when victims pay, Arctic Wolf states there is no guarantee that data is actually deleted. In several incidents, researchers found stolen data that victims believed should have already been deleted.
Additionally, researchers are signaling a trend where some cybercriminal networks collaborate with local organized crime. This can involve physical pressure being exerted on employees of victim organizations to force payment. Researchers describe this development as “violent crime-as-a-service”.
According to Arctic Wolf, governments and legislators continue to advise organizations not to pay ransoms. At the same time, researchers state that companies must be prepared for the scenario in which negotiations do take place, in order to limit the impact of an attack as much as possible.