• Posted by: Eng. Donya Bino
• February 13, 2026

Ransomware Negotiation Tactics from Leaked Chats

Leaked chats from ransomware groups (LockBit, ALPHV/BlackCat, Conti remnants, RansomHub affiliates, etc.) have given defenders a rare, unfiltered look into how these criminals actually talk to victims during extortion. The tone, pressure points, lies, and psychological tricks are surprisingly consistent across different crews.

Below are the most common real negotiation tactics pulled straight from chats that surfaced publicly between 2023–2026 (mostly via law enforcement seizures, researcher leaks, and group infighting dumps). These aren’t hypotheticals, they’re patterns seen in hundreds of real conversations.

1. The Deadline Bluff is the Most Common Technique used by Ransomware Gangs.
a) Most Ransomware gangs use fake countdowns as part of their normal operating procedure, with the most common time typically being 48-72 hours.
b) If you do not act quickly enough, they will threaten to:
1) Release samples of the data they have stolen from you (immediate),
2) Double the ransom amount (in the case of typical amounts), and
3) Directly contact your customers and the press/media.

c) The truth is that many of the groups will only continue to extend the deadlines if they think you will eventually pay them. The only real deadline is when the Ransomware group believes that you have no more money to pay them.  

Chat Example (LockBit Affiliate, 2024 Leaked):
“Your deadline to remit payment of 2x your current outstanding amount is 72 hours. After the deadline, we will make a press release regarding your non-payment to the media via Reuters as well as send this same press release to your top 5 customers. You still have time on the clock.”

2. We Already Have Everything Lie
a) Claiming to have stolen much more than they actually did (such as having full Domain Admin credentials, all your financial information, your source code, information on all your customers, all employees Social Security numbers, etc.)
b) Pasting some stolen screenshots or file names to “prove” it
c) Creating a sense of urgency and trying to get you to pay before verifying the scope of the loss.

Chat Example (RansomHub, 2025): "We have your entire Active Directory, your database of financial information, your HR folder with passport information. Paying now will be less expensive than going to court."

3. The Game of “Good Cop / Bad Cop” 
a) One negotiator takes on the role of “Good Cop” and is very nice/helpful (“I really want to settle this as soon as possible for us both.”) 
b) The other negotiator (may, but not always, be the same person dressed up differently) plays “Bad Cop,” or acts aggressive/threatening (“My boss doesn’t have much patience, and the data goes out in 12 hours.”) 
c) The emotional rollercoaster of the victim will make him feel “relieved” when the “Good Cop” offers the “discount.” 

Example of chat (ALPHV affiliate, 2024): Good cop says: “Since you were easy to work with, I convinced them to lower the demand from $1.2M.” Bad cop later: “You are wasting time; the demand is $3M, and we’ve already sent your partners the samples.” 

4. The Trick of “Discount for Paying Quickly” 
a) They will start with a very high price demand for payment ($5M – $50M based on your revenue) and then quickly offer you “discounts” (30%–70%) as a reward for making payment within certain time frames (usually within hours/days). 
b) This is an example of “classic anchoring.” An outrageously high initial price makes this “deal” feel like a win, even though the actual amount will still be millions. 

Example of chat (LockBit 3.0, 2025): Initial demand was $18M. After 36 hours: “Express gratitude for your prompt reply; our special price is $7.5M if paid today.”

5. The “Proof of Life” and Partial Decryption Offers 
a) They can and will decrypt 1 – 3 random files so as to prove this point to you.
b) At times, they will offer additional decryption of more than the minimum required amount (for further payment) or supply a “testing decryptor” that is only able to function on small files. 
c) Build a reputation with you to gain your confidence in receiving the full decryptor once payment has been made.

6. Threatening Third Parties
a) “We already emailed your customers / partners / journalists / regulators.”
b) They rarely do this early (it kills payment chance), but the threat is constant.
c) Some groups do follow through with mass emails or posts on leak sites.

7. The “We’re Professionals” Reassurance
a) Repeated phrases: “We are not kids, we keep our word.” “After payment we delete everything and give proof.” “We’ve done this hundreds of times, trust the process.”
b) This is pure psychological comfort , many affiliates do delete data, but many don’t (especially if payment is low or delayed).

Quick Defensive Takeaways
1. Never believe the first number or deadline.
2. Never pay for partial decryption , it almost never leads to full recovery.
3. Never reveal how much you can afford , they anchor higher.
4. Record every message (screenshots, timestamps) , helps law enforcement later.
5. Assume they already have what they claim , but verify scope quietly (E-discovery, DLP logs).
6. The longer you drag it out (without provoking), the more likely they drop the price or walk away.

These tactics are repetitive because they work. Knowing the playbook doesn’t stop the pain, but it removes some of the fear and lets you respond with clearer eyes.