Ransomware Guide

Ransomware Negotiation in 2026: When to Pay, When to Refuse, and How to Engage a Negotiator

Ransomware negotiation in 2026: the decision framework for when to pay or refuse, OFAC and UK sanctions risk, cyber insurance coverage, and how to engage a negotiator.

Ransomware Negotiation in 2026: When to Pay, When to Refuse, and How to Engage a Negotiator

Something has shifted in the ransomware economy, and it’s worth pausing over the numbers before rushing into advice about negotiation.

In the fourth quarter of 2024, roughly a quarter of ransomware victims paid. By the third quarter of 2025, that figure had fallen to 23%. In the fourth quarter of 2025, it reached approximately 20% — a historic low. For data-theft-only incidents, where attackers exfiltrate data but don’t encrypt systems, the payment rate sits at 19%. These figures come from Coveware, the ransomware response firm owned by Veeam, and they represent one of the most consistent downward trends in cybercrime metrics of the last five years.

At the same time, the UK government has legislated an outright ban on ransomware payments for public sector bodies and operators of critical national infrastructure — a policy confirmed in late 2025 and moving through Parliament as part of the Cyber Security and Resilience Bill. In the United States, OFAC’s strict-liability sanctions regime creates civil penalty risk for any company that pays a ransom later found to have a sanctions nexus, whether the company knew about it or not.

The picture that emerges is this: paying is getting rarer, refusing is getting more defensible, and the regulatory environment is tightening around the act of payment itself. Any conversation about ransomware negotiation in 2026 has to start there, because the decision framework has changed materially in the last eighteen months.

This guide is not a how-to for paying a ransom. It is a decision-support document for boards, executives, and incident commanders who find themselves staring at a ransom note and needing to think clearly under time pressure. We’ll cover the decision criteria, the sanctions landscape, what cyber insurance will and won’t do for you, what a professional negotiator actually does, and where the evidence suggests payment is most and least likely to be worth it.

If you’re in the first hours of an active incident, this is not the first thing you should be reading. Start with the 72-hour ransomware response playbook, which covers containment, legal notification, and the immediate operational decisions. Come back here once you’ve stabilised.

The decision to pay is not really a decision you get to make alone

The first thing to understand about ransomware negotiation in 2026 is that the decision to pay is constrained by legal, contractual, and regulatory considerations that did not all exist five years ago. Depending on where you operate and what sector you’re in, some of these constraints are absolute.

If you are a UK public sector body — an NHS trust, a local council, a school, a central government department — a payment ban is either already in effect or imminent. The UK Home Office confirmed in late 2025 that it will move forward with legislation making ransom payments illegal for all public sector organisations and for operators of critical national infrastructure regulated by a competent authority. The consultation that preceded the ban drew 72% overall support, with 82% support from CNI and public sector respondents themselves. The measure is being implemented through the Cyber Security and Resilience Bill.

For UK public sector and CNI organisations, the negotiation question is effectively being removed. The decision the law forces is: you will not pay, and you will need to recover through other means. That reality has profound implications for tabletop exercises, backup strategy, and incident response design, and those organisations should have been preparing for a non-payment world since the ban was first proposed in early 2025.

For everyone else — UK private sector, US-regulated entities, multinationals, small and medium businesses — the legal situation is less absolute but far from unconstrained. In the United States, OFAC (the Treasury’s Office of Foreign Assets Control) administers sanctions that prohibit transactions with designated persons, entities, and jurisdictions. Several ransomware groups have been sanctioned, including Evil Corp and Conti. OFAC’s 2020 advisory, updated in 2021, made clear that paying a ransom to any sanctioned entity — or facilitating a payment to one — exposes US persons to civil penalty liability on a strict-liability basis. That means liability can attach even if the payer had no knowledge of the sanctions nexus.

Strict liability is the phrase that should make every general counsel sit up. It means the due diligence burden is entirely on the victim. It also means cyber insurers, digital forensics firms, and financial institutions involved in facilitating the payment face their own sanctions exposure. OFAC has said it will consider voluntary self-disclosure, cooperation with law enforcement, and the existence of a sanctions compliance programme as mitigating factors in enforcement decisions — but “mitigating” is not “exculpatory.”

Outside the US and UK, the picture varies but trends in the same direction. The Counter Ransomware Initiative, a forty-country coalition including the UK, Canada, Australia, India, and most EU member states, has pledged not to pay ransoms from public funds. Australia has introduced mandatory reporting of ransom payments. The European Union has not imposed a blanket ban but has tightened incident reporting under NIS2 and DORA, which creates its own set of obligations around disclosure of payments.

The practical implication is that any serious ransomware negotiation conversation in 2026 starts with three parallel workstreams running simultaneously: operational containment, legal and regulatory analysis, and sanctions screening on the threat actor. If you don’t know whether your attacker is on the OFAC SDN list, you cannot responsibly authorise a payment. If you’re a UK public body, you can’t authorise a payment at all.

The decision framework: what the evidence actually supports

Set the legal constraints aside for a moment and consider the case where payment is legally permissible. When does the evidence support paying?

The honest answer, based on incident response data from 2024 and 2025, is: less often than executives under pressure tend to assume.

Three findings from Coveware’s reporting in 2025 are particularly worth sitting with. First, in incidents involving only data exfiltration (no encryption), paying the ransom does not reliably prevent data publication. Attackers have retained data after payment, selectively leaked it later, and in some cases re-extorted victims months later using the same dataset. Coveware described paying-to-delete as having “de minimis to zero utility.” Several high-profile 2025 campaigns — where victims refused and the feared catastrophic publication either didn’t happen or didn’t produce the predicted commercial damage — reinforced this.

Second, paying doesn’t reliably restore systems even in encryption incidents. A Cybereason study cited by Infosecurity Europe found that less than half of firms that paid a ransom recovered their data uncorrupted. Decryption tools provided by attackers are often buggy, incomplete, or slow. Recovery from backups, if backups are viable, is often faster than decryption.

Third, paying marks you as a paying target. The same Cybereason study found that 78% of organisations that paid were hit again, often by the same or an affiliated group. Paying funds the infrastructure that enables the next attack, and it places you on the list of known-paying victims that threat intelligence groups actively trade and resell.

None of this is to say payment is never justified. There are scenarios where it remains the least-bad option — typically involving existential operational disruption, life-safety systems without workable recovery alternatives, or specific regulatory and contractual exposures where the cost of non-payment is catastrophic. But the baseline expectation should be this: paying is a last resort where the alternative is organisational failure, and even then it is an imperfect remedy with significant downstream risk.

The decision framework that falls out of this looks something like this. Payment should only be seriously considered when all of the following are true: recovery through backups, failover, or rebuild is not viable within the business’s survival window; the operational disruption threatens the organisation’s existence or creates life-safety risk; the threat actor has been screened and is not on the OFAC SDN list or otherwise sanctioned; legal counsel, law enforcement (FBI in the US, NCA in the UK), cyber insurance carrier, and board have all been consulted; and the decision-makers understand that payment does not guarantee recovery and does not eliminate reporting obligations.

If any of those conditions fails, the default should be to refuse payment and focus entirely on recovery, notification, and legal defence.

What a professional negotiator actually does

There is a small, specialised industry of ransomware negotiators operating globally. The best-known firms include Coveware (now part of Veeam), GroupSense, Arete, Kivu Consulting, and the incident response practices of major advisory firms like Mandiant, CrowdStrike Services, Unit 42 (Palo Alto Networks), and Kroll. Most cyber insurance policies include access to a panel of these firms, and in practice many ransomware engagements are managed by insurer-approved responders rather than by the victim directly.

The word “negotiator” is slightly misleading. What these firms actually do is a mix of five distinct functions, and understanding the distinction matters when you’re evaluating whether to engage one and what you’re paying for.

The first function is threat actor identification and sanctions screening. Before anything else, a negotiator will try to identify the specific group and individuals behind the attack, cross-reference against the OFAC SDN list and other sanctions regimes, and document that screening for regulatory purposes. This is not optional work — it is foundational to whether any payment can be legally authorised at all.

The second function is communication management. Negotiators handle the actual back-and-forth with the threat actor, usually through whatever chat portal or email channel the attacker provides. They manage tone, pacing, and information disclosure to avoid inadvertently confirming what the attacker has access to or revealing business-critical timelines (like upcoming earnings releases or contract deadlines) that would allow the attacker to set the ransom based on leverage.

The third function is price negotiation. Professional negotiators typically reduce the initial demand substantially — Coveware’s aggregate data across its engagements over multiple years shows negotiated outcomes well below initial demands, though specific reductions vary enormously by actor and circumstance. Established RaaS groups negotiate in predictable patterns; lone-wolf actors and less experienced affiliates are less predictable and sometimes walk away.

The fourth function is decryptor and deletion verification. If a payment is made, the negotiator manages the handover of decryption tools, tests them in a sandboxed environment before handing to the victim’s IT team, and — in data-theft cases — receives whatever proof-of-deletion the attacker provides. Experienced firms are clear-eyed that proof of deletion is essentially unverifiable and should not be treated as a reliable outcome.

The fifth function is payment execution. In the US and UK, ransom payments are almost always made in cryptocurrency. Negotiator firms that execute payments are money service businesses that must themselves comply with FinCEN regulations, maintain sanctions compliance programmes, and file appropriate reports. This is the part of the negotiation workflow where the strict-liability exposure is most acute for the facilitators themselves.

A professional negotiator is not a substitute for a legal decision. The firm will not tell you whether to pay. They will give you information, manage process, and execute whatever decision you and your legal counsel reach. The actual authorisation to pay rests with the victim organisation’s board or designated decision-maker, with sign-off from counsel and documented regulatory screening.

What cyber insurance actually does (and doesn’t do)

A well-structured cyber insurance policy is the single most valuable asset an organisation has in a ransomware incident, but what the policy covers varies more than most buyers realise.

Most Tier 1 cyber policies sold in the US and UK markets — from carriers like Coalition, At-Bay, Cowbell, Beazley, CFC, AIG, and Chubb — include ransomware coverage with several distinct components. Extortion payment coverage reimburses the ransom itself, subject to carrier approval and sanctions compliance. Incident response coverage pays for the forensics firm, negotiator, and legal counsel. Business interruption coverage compensates lost revenue during downtime, typically with a waiting period of 8–12 hours. Data restoration coverage funds rebuild and recovery work. Privacy liability and regulatory defence coverage pays for breach notification costs and regulatory investigation defence.

For more on what insurers are demanding in 2026 and how technical controls affect premiums, see our cyber insurance in 2026 guide.

A few practical points about how ransomware insurance actually works during an incident are worth knowing in advance, not during a crisis. Most policies require the carrier’s pre-approval before you engage any external firm — including the negotiator, forensics team, and legal counsel. Using a firm outside the carrier’s panel without permission can void coverage. The insurer’s breach coach (usually a law firm) effectively quarterbacks the incident response on the carrier’s behalf, and their approval is needed for most significant decisions, including any payment.

Carriers will not authorise payments that violate sanctions law. If the threat actor is sanctioned or screening cannot conclusively rule out a sanctions nexus, the carrier will decline to fund the payment. In practice, this means the sanctions question is resolved before the money question — the insurer’s own compliance exposure forces that sequencing.

Carriers also maintain their own views about when payment is or isn’t advisable, and those views have hardened over the last two years. Several major carriers now explicitly discourage payment in data-exfiltration-only incidents, based on the same evidence that Coveware documents: paying doesn’t prevent publication and doesn’t eliminate notification obligations. Policyholders who insist on paying against carrier advice may find the coverage reduced or the renewal declined.

Policy sub-limits matter. Many policies that nominally provide $5M in cyber coverage may have a ransomware sub-limit of $1M–$2M, or may apply a co-insurance factor (where the insured pays 20–30% of the ransom even after the deductible). Business interruption coverage often has its own sub-limits and waiting periods that significantly reduce the recoverable amount. Reading your policy carefully — before you need it — is the single most useful piece of pre-incident preparation an insurance-buying organisation can do.

Finally, cyber insurance carriers are now a primary driver of defensive control adoption. Multi-factor authentication, endpoint detection and response, immutable backups, and privileged access management are effectively required for coverage from most Tier 1 carriers in 2026. These controls are the practical floor that turns a “maybe we have to pay” situation into a “we can recover without paying” situation, and the insurers know it.

The OFAC compliance programme: what every US-jurisdiction organisation needs

OFAC’s 2020 advisory, reinforced in later guidance, is explicit that the existence and adequacy of a sanctions compliance programme is a mitigating factor in enforcement decisions. For any organisation subject to US jurisdiction — which in practice includes most multinationals and many UK firms with US operations — building that programme before an incident matters more than any tactical negotiation decision during one.

A risk-based sanctions compliance programme for ransomware exposure typically includes five elements. First, written policies that explicitly address ransomware payment authorisation, sanctions screening requirements, and the escalation path to legal counsel and senior leadership. Second, a pre-identified panel of incident response, legal, and negotiator firms with documented sanctions compliance programmes of their own. Third, documented sanctions screening procedures that apply to any ransom payment authorisation, including cross-reference to the OFAC SDN list and any updated guidance. Fourth, law enforcement reporting protocols — OFAC treats contemporaneous FBI reporting as a mitigating factor, and IC3 reporting is the standard mechanism in the US. Fifth, post-incident review to document what was done and why, which serves both as audit evidence and as organisational learning.

The equivalent UK framework is less prescriptive but similar in spirit: NCSC guidance, law enforcement reporting through Action Fraud and the National Crime Agency, and — once the Cyber Security and Resilience Bill is in force — mandatory incident reporting within 72 hours for covered entities. Organisations subject to NIS2 or DORA have additional reporting obligations that kick in regardless of whether a payment is considered.

The single most common mistake organisations make in this space is treating the sanctions compliance programme as a legal formality. It isn’t. It is the document that determines whether OFAC characterises a potential violation as a civil penalty of tens of millions of dollars or a no-action letter. The compliance programme is the shield, and it must exist before the incident, not be drafted in response to one.

How to actually engage a negotiator in an incident

If you reach the point where negotiation is genuinely on the table — legal review has cleared it, sanctions screening is underway, insurance is engaged, and recovery alternatives are inadequate — the mechanics of engaging a negotiator matter.

Your first call, almost always, should be to your cyber insurance carrier’s breach hotline. The carrier will connect you to their approved breach coach (legal counsel) and their approved incident response firm, which will usually include a ransomware negotiator as part of the panel. This sequencing protects coverage and ensures that everyone in the response chain meets the carrier’s compliance requirements.

If you don’t have cyber insurance or your policy’s panel is inadequate, direct engagement with a negotiator firm is possible. Reputable firms will typically want to see evidence of the attack (a sample of the ransom note, file-hash evidence, a proof-of-life demand from the attacker if one exists) and will want confirmation that you’ve engaged legal counsel before they will start communications. Pricing varies; fixed-fee engagements are increasingly common, with typical ranges in the tens of thousands of dollars for mid-market incidents and higher for complex multinational matters.

The engagement scope should be explicit. At minimum, it should cover: threat actor identification and sanctions screening; communication management with the attacker; negotiation of any demand; decryptor verification and handover; payment execution (if a payment is authorised); and post-incident reporting. Be cautious of firms that position themselves primarily as payment facilitators without the underlying compliance and intelligence capabilities — these are the engagements most likely to create downstream regulatory exposure.

Under no circumstances should an organisation’s internal staff communicate directly with a threat actor outside of a managed negotiation process. Casual communications on an attacker’s chat portal have been documented to inadvertently confirm data exposure, reveal business context that the attacker uses to increase demands, and — in SWATting incidents documented by Coveware in 2025 — expose executives’ personal details to criminal groups that have used them for physical intimidation.

What changes from here

The direction of travel in ransomware negotiation is clear. Payment rates are falling. Legal constraints are tightening. Cyber insurance carriers are becoming more assertive about declining payment in data-theft-only cases. The UK ban is pulling the market toward a no-payment default. US sanctions enforcement appears to be escalating rather than relaxing.

None of this means ransomware is becoming a smaller problem — attack volumes are at historic highs, and the median loss per incident continues to grow. But it does mean the assumption that “we’ll just pay” is becoming both less defensible and less effective. Organisations that invest in the things that make payment unnecessary — tested immutable backups, documented recovery plans, phishing-resistant identity controls, mature incident response capability, adequate cyber insurance with strong panel firms — are the ones that consistently emerge from ransomware incidents without paying.

The question worth asking in 2026 is not “how do we negotiate a ransom?” It is: “what does our organisation need to put in place now so that negotiation is a choice, not a necessity?” That is where the work belongs.

Frequently asked questions

Is paying a ransomware ransom illegal? In most jurisdictions, payment itself is not illegal — but payment to a sanctioned person, entity, or jurisdiction is. In the US, OFAC applies strict liability, meaning victims can face civil penalties even if they didn’t know about the sanctions nexus. In the UK, the government is implementing a ban on ransomware payments for public sector bodies and critical national infrastructure through the Cyber Security and Resilience Bill. For private-sector organisations in the UK and most other jurisdictions, payment remains legal subject to sanctions law compliance, but is increasingly discouraged.

What percentage of ransomware victims actually pay? Payment rates have fallen sharply. Coveware’s data shows 25% of victims paid in Q4 2024, falling to 23% in Q3 2025 and approximately 20% in Q4 2025. For data-theft-only incidents (no encryption), the payment rate dropped to 19% in Q3 2025. These rates are historic lows and reflect a continuing downward trend over four consecutive years.

Does paying a ransom guarantee I get my data back? No. A Cybereason study found that less than half of organisations that paid recovered their data uncorrupted. Decryption tools are often buggy or slow, and data deletion promises in exfiltration cases are essentially unverifiable. Paying is a probabilistic outcome, not a guaranteed recovery.

What does a ransomware negotiator actually do? A professional negotiator handles threat actor identification and sanctions screening, manages communications with the attacker, negotiates the demand down from the initial figure, verifies any decryptor provided, and executes the payment if one is authorised. They do not decide whether you should pay — that decision sits with the victim organisation’s leadership, with input from legal counsel and cyber insurance.

Will my cyber insurance cover a ransom payment? Most Tier 1 cyber insurance policies include extortion payment coverage, but with conditions. The carrier must pre-approve the payment, the threat actor must not be sanctioned, and the response must be managed through the carrier’s approved panel of firms. Coverage is typically subject to sub-limits, deductibles, and sometimes co-insurance. Carriers are increasingly declining to fund payments in data-exfiltration-only cases. Read your policy before you need it.

What’s the difference between the US OFAC regime and the UK payment ban? The US OFAC regime is a sanctions framework that prohibits transactions with designated persons or entities and applies civil penalties on a strict-liability basis. It does not ban payment as such — it bans payment to sanctioned recipients. The UK’s ban, being implemented through the Cyber Security and Resilience Bill, makes ransomware payment outright illegal for public sector bodies and critical national infrastructure operators, regardless of who the attacker is.

Should I contact law enforcement before making a payment decision? Yes, in almost every case. In the US, OFAC treats contemporaneous FBI reporting (typically through IC3) as a mitigating factor in enforcement decisions. In the UK, reporting to the National Crime Agency and NCSC is strongly encouraged and will be mandatory under the Cyber Security and Resilience Bill for covered entities. Law enforcement cannot stop you from making a payment, but engaging them is a protective step for both regulatory and investigative reasons.