The global surge in digital extortion assaults has spurred the emergence of specialized mediators, adept at securing delays, gathering critical intelligence, and forging agreements with malicious actors.
Professional ransomware negotiators have blossomed into a rapidly expanding segment of the cybersecurity sector as enterprises seek assistance for critical discussions with criminal syndicates.
Major cybersecurity conglomerates, including Palo Alto Networks and Sophos, have observed an uptick in demand for their ransom mediation specialists, according to sources privy to the situation, amidst a proliferation of high-profile cyber-incidents targeting large corporations worldwide.
British retail giants Marks and Spencer and Harrods faced cyber-attacks last year, alongside car manufacturer Jaguar Land Rover, with the latter incurring losses exceeding £260 million.
Dan Saunders, director of incident response EMEA at Quorum Cyber, highlighted the pivotal role of negotiators in assisting companies to formulate a strategy by acquiring data that empowers executives to reach well-informed conclusions.
“The aims are: First: gain time; second, enlighten decisions; third, [collect] . . . intelligence,” he elaborated, referring to efforts to pinpoint the perpetrators behind the breach. “Simply engaging with them does not imply an intention to remit payment.”
Cyber ransom mediators employ various strategies, such as feigning the role of an uninformed junior IT employee, and deliberately decelerating “the pace” of discussions by dispatching merely one or two communications per day to the attackers.
“It’s more akin to a delicate ballet than a direct negotiation,” remarked an anonymous ransom mediator employed at Sophos. “Erroneous steps or misjudgments could inflict severe damage upon your client.”
The mediator noted that the initial client consultation typically constitutes “the sky is falling” period. “They’re scrambling frantically; they’re disoriented because they’ve just suffered a cyber intrusion.”
These discussions can span from three days to three weeks, taking place via dark web platforms, email, or occasionally TOX.chat — an online service offering end-to-end encryption.
The majority of cyber offenders typically demand a payment representing approximately 1 to 2 percent of the company’s publicly known revenue, as reported by Sophos. This request for funds not only provides mediators an opportunity to lower the price but also allows them to trace IP addresses and cryptocurrency wallets to discern the identity of those they are engaging with.
Many mediators, like Quorum Cyber’s Saunders, originate from a law enforcement background, adapting techniques utilized in their prior vocations. Others possess financial expertise, having experience in high-value monetary discussions.
However, dialogues are frequently challenging due to cyber criminals often being young, exhibiting “immature” conduct and employing “vulgar” terminology, according to Digital Mint’s Don Wyper.
“I jest that in my imagination they are unkempt, basement-dwelling individuals. Yet the reality is . . . many are very young teenagers or perhaps in their early twenties.”
Wyper recounted an instance where a hacker dispatched a cake to a client with a thank-you note after receiving payment.
A critical responsibility for negotiators involves ensuring companies possess comprehensive understanding before addressing the dilemma of whether to pay.
Experts caution that legal counsel regarding potential breaches of international sanctions, such as financing terrorism, must be taken into account before executives consent to any payment.
“Cybersecurity regulations are becoming more stringent globally, propelled by escalating geopolitical tensions,” stated Jonathan Kewley, partner and co-chair of the global tech division at Clifford Chance.
“Preparedness and foresight are paramount immediately following a cyber-attack, guaranteeing that subsequent actions adhere to sanctions protocols, which represent a complex labyrinth,” he added.
Should an organization opt to proceed with a ransom payment, the negotiator will either facilitate the transaction personally or engage a payment specialist — such as Digital Mint or Quorum Cyber — to execute it on their behalf.
Payments are typically rendered in digital currency, most often Bitcoin, with the payment facilitator either possessing a “reserve” of accessible funds or established connections to exchanges where it can be readily acquired.
However, cybersecurity specialists issue a vital caution: remunerating criminals does not ensure they will uphold their pledge.
“There remains the perpetual hazard of them failing to adhere to the provisions of the accord, and they are not constrained by the same legal stipulations and prospect of civil or regulatory sanctions that a conventional entity would face,” stated Mark Lance of the cybersecurity consultancy GuidePoint Security.
This apprehension has led to a decline in the number of companies ultimately choosing to compensate their aggressors, a trend experts attribute to the increasing utilization of professional mediators and a rise in proactive measures like data backup.
In 2025, just under half of all cyber-attacks involved an extortion payment, a decrease from 56 percent in 2024, according to Sophos’s “state of ransomware” dossier.
“You are procuring something without an assurance [of desired outcome], so every enterprise must conduct an evaluation,” remarked John Wood, a director at Palo Alto Networks.
“Increasingly, companies are concluding: ‘This simply isn’t worth the expense or the benefit for our investment.’”