- NordStellar finds that many ransomware deals are unpaid, often with large discounts (median 57%, maximum 96.2%)
- The attackers used a variety of tactics: bundling “services,” offering fake security audits, data testing, press threats, GDPR violations, and price manipulation.
- Leaking stolen files remained the dominant pressure tactic (76.8%), but deadlines were often scams designed to force victims to pay.
While threatening to leak stolen data remains the most effective negotiating strategy in ransomware attacks, it is not the only one, as new research from NordStellar has found that cybercriminals employ a wide range of tactics, from deep discounts to providing “security audits and reports” to victims.
The company recently analyzed 246 leaked conversations between ransomware groups and victim companies that took place between 2020 and 2026.
A quarter (25.6%) ended up paying, but the vast majority did not pay the requested price. The average discount on those payments was 57%, while the highest discount recorded was 96.2%.
Bundled services, upsells and more
The report found that criminals often start their negotiation with a sales tactic: they respond quickly and the price drops by 25% to 67% immediately. It stops and the price goes up.
Then, they will divide their “services”: decrypting the files on one hand and deleting the stolen documents on the other. In around 16% of cases, attackers offered victims “all services included” packages, while in 21% they attempted to sell these services separately.
“Although the promise of data deletion appears often, companies have no way to verify the deletion,” said Mantas Sabeckis, senior threat intelligence researcher at Nord Security.
“I would advise companies to tread carefully and take these statements with a grain of salt: ransomware actors are skilled manipulators.”
Interestingly, in 7.3% of conversations, attackers offered their victims a “security audit/report,” as if they were cybersecurity professionals, not just criminals.
Threatening to leak stolen files is by far the most common tactic, used in 76.8% of all conversations analyzed. Other common tactics include providing proof of data (55.3%), special pricing offers (45.5%), or threatening to go to the press (43.5%). NordStellar has also seen threats of GDPR compliance violations (17.9%) and threats of price gouging (7.3%).
“It’s important to keep in mind that the attacker’s deadline is almost never real. They want the money; they won’t walk away on the first day,” Sabeckis concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
