The thin line between saving a company and funding a crime | CyberScoop<\/title> <meta name=\"description\" content=\"Ransomware negotiators dish on being in a \u2018moral gray zone,\u2019 unrestricted by accountability or industrywide rules of engagement.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/ransomware-negotiation-pitfalls-moral-gray-zone\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"The thin line between saving a company and funding a crime\"> <meta property=\"og:description\" content=\"Ransomware negotiators dish on being in a \u2018moral gray zone,\u2019 unrestricted by accountability or industrywide rules of engagement.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/ransomware-negotiation-pitfalls-moral-gray-zone\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-21T11:00:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg\"> <meta property=\"og:image:width\" content=\"8660\"> <meta property=\"og:image:height\" content=\"5773\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1767719924g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87487\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87487\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fransomware-negotiation-pitfalls-moral-gray-zone%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fransomware-negotiation-pitfalls-moral-gray-zone%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87487 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/ransomware-negotiation-pitfalls-moral-gray-zone\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.822580645161\">\n<div class=\"single-article__header-content\" readability=\"31.081545064378\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/ransomware-negotiation-pitfalls-moral-gray-zone\/\"> <span>Ransomware<\/span> <\/a> <\/li>\n<\/ul>\n<p> Ransomware negotiators dish on being in a \u2018moral gray zone,\u2019 unrestricted by accountability or industrywide rules of engagement. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg 8660w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"221.17567338641\"><body readability=\"447.8131038117\"><\/p>\n<p>Ransomware negotiation is a dark but widely acknowledged reality in the cybersecurity industry \u2014 one that many argue is a necessary practice, even if it largely occurs out of sight. Brokering payments and terms with cybercriminals who hold organizations\u2019 data and operations hostage places security professionals in a fraught position that requires them to balance a responsibility to meet their clients\u2019 needs without fueling the spread of financially-motivated crime.<\/p>\n<p>The pitfalls of ransomware negotiation are excessive \u2014 pinning the goals of cybercrime against victims and incident response firms that typically face no good options. Negotiators are charged with ensuring their clients don\u2019t break any laws by financially supporting sanctioned criminals, but they also have to consider the lines they won\u2019t cross without betraying their moral compass.<\/p>\n<p>These backchannel negotiations can go awry for various reasons. Many people involved in ransomware negotiation prefer to share very little about what transpires in these discussions, a decision that ensures the terms of ransomware payments remain largely unscrutinized. <\/p>\n<p>Yet, many security companies and professionals spoke to CyberScoop about the challenges and benefits of ransomware negotiation after two of their own became turncoats. The former incident responders, Ryan Clifford Goldberg and Kevin Tyler Martin, were <a href=\"https:\/\/cyberscoop.com\/incident-response-ransomware-professionals-charged-attacks\/\">moonlighting as ransomware operators<\/a> and <a href=\"https:\/\/cyberscoop.com\/incident-responders-plead-guilty-ransomware-digitalmint\/\">pleaded guilty<\/a> last month to a series of ransomware attacks in 2023.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThere\u2019s no structured community of practice, no peer review, and no recognized body to certify or hold negotiators accountable,\u201d Jon DiMaggio, principal at XFIL Cyber, told CyberScoop. \u201cIt\u2019s one of the few areas of cybersecurity with no real standards, an unregulated tradecraft that still operates like the Wild West.\u201d<\/p>\n<p>This uneven approach manifests across the landscape, particularly among the top incident response firms, which have varying levels of comfort with ransomware negotiations. CrowdStrike and Mandiant draw a firm line, refraining from providing ransomware negotiation services to clients. <\/p>\n<p>If a client is considering paying a ransomware group, Mandiant will explain the options and let the client decide. The Google-owned company will also share what it knows about the group\u2019s reputation for honoring terms and provide a list of third-party vendors that specialize in ransomware negotiation.<\/p>\n<p>Adam Meyers, head of counter adversary operations at CrowdStrike, is firmly in the don\u2019t-pay-ransoms camp. But he, too, recognizes it\u2019s not always that simple. <\/p>\n<p>\u201cNo good comes from paying them,\u201d but sometimes in extreme cases when the choice is between a business\u2019s downfall or potentially putting the people you serve at risk of significant harm, victims don\u2019t have a choice but to pay the ransom, Meyers said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Palo Alto Networks Unit 42 takes things to the finish line, but stops before payment. \u201cThe boundary for us is we don\u2019t perform ransomware payments. That\u2019s actually an intentional decision on our end to separate those out,\u201d Steve Elovitz, vice president of consulting at Unit 42, told CyberScoop.<\/p>\n<p>\u201cWe will perform negotiations when requested by our clients, but we will not perform the payments,\u201d he added. \u201cThere\u2019s the complexity side of it, but there\u2019s also just the moral side of it \u2014 not wanting to be involved, really, in the transaction itself.\u201d<\/p>\n<p>The red lines in ransomware response \u2014 viewing stolen or illegal data on dark web forums, collecting that information, engaging with cybercriminals, negotiating and, ultimately, submitting payment \u2014 can push those involved beyond their comfort zones, said Sean Nikkel, lead cyber intelligence analyst at Bitdefender.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-lack-of-transparency-engenders-isolation\">Lack of transparency engenders isolation<\/h4>\n<p>These self-imposed limits highlight how secretive ransomware negotiations tend to be, which creates a vacuum in which criminals thrive, DiMaggio said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe lack of transparency isolates everyone,\u201d he said. \u201cVictims don\u2019t know what\u2019s normal or fair, law enforcement is often left guessing, and the criminals use that silence to control the narrative and drive up their prices.\u201d<\/p>\n<p>Nikkel asserts some secrecy is necessary, yet ransomware negotiators are \u201coperating without a license and it kind of freaks me out a little bit,\u201d he said.<\/p>\n<p>Professional certifications exist for many lines of intelligence work, but there\u2019s nothing for ransomware negotiation, he added.<\/p>\n<p>DiMaggio, who has infiltrated ransomware groups to investigate their operations, dox their leaders and chronicle stories that would otherwise go untold, said victim organizations constantly make the same mistakes because lessons from these attacks are rarely shared. <\/p>\n<p>\u201cUntil the industry finds a responsible way to collect and analyze anonymized negotiation data, we\u2019ll keep fighting each case in the dark,\u201d he said. \u201cTransparency isn\u2019t about shaming victims \u2014 it\u2019s about denying criminals the advantage of secrecy.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Open sharing of ransomware negotiations is a non-starter for many important reasons, experts said. These communications contain privileged information that could tip attackers off to counterstrategies or empower them with information they can use as leverage to further compromise victims. <\/p>\n<p>\u201cIt would be difficult to do that in a way that doesn\u2019t compromise the practice,\u201d said Kurtis Minder, the co-founder and former CEO of GroupSense who published a book in July about his experiences as a ransomware negotiator.<\/p>\n<p>Cynthia Kaiser, who joined Halcyon\u2019s ransomware research center as senior vice president after 20 years with the FBI, shares that view. <\/p>\n<p>\u201cYou don\u2019t want to do anything that re-victimizes the victim,\u201d she said. \u201cIf that information goes out, that should be their choice.\u201d<\/p>\n<p>The \u201cdarkness\u201d about negotiations doesn\u2019t merit the same emphasis as the need to better understand \u201chow insidious and gross all these ransomware attacks are, and who they\u2019re attacking,\u201d Kaiser added. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThat\u2019s the only way we can really grapple with the actual extent of the threat, and that\u2019s not happening right now,\u201d she said. \u201cThat information doesn\u2019t get out there enough.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-key-negotiation-skills-and-considerations\">Key negotiation skills and considerations<\/h4>\n<p>Minder got pulled into his first ransomware negotiation in 2019 by accident and against his best intentions. \u201cSomewhat reluctantly, I agreed to do more and then it sort of snowballed on us,\u201d he said. \u201cWe didn\u2019t really want to do this.\u201d<\/p>\n<p>Since then, Minder has been involved in hundreds of ransomware negotiations for major companies and small businesses who he volunteered to help in his personal time. <\/p>\n<p>There is no litmus test for what makes a good negotiator, but soft skills and emotional intelligence are critical, he said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cEmpathy is one of the most important things,\u201d Minder added. \u201cNot sympathy \u2014 empathy \u2014 being able to effectively put yourself in the bad guys\u2019 shoes is super powerful.\u201d<\/p>\n<p>As ransomware attacks have grown, so too has the mixed motivations of attackers attempting to extort victims for payment. <\/p>\n<p>Attacker volatility has increased in the past four years and complicated the considerations negotiators must heed in their response, said Lizzie Cookson, senior director of incident response at Coveware by Veeam. <\/p>\n<p>Some attackers are \u201ceager to get paid, but they\u2019re also in it for the notoriety, for the bragging rights, for the media attention,\u201d said Cookson, who\u2019s worked as ransomware negotiator for more than a decade. \u201cThat\u2019s where we start to encounter more concerning behavior \u2014 more hostility, threat actors threatening violence, making threats against people\u2019s family members.\u201d<\/p>\n<p>These cases, which occur much more often now, are more likely to result in broken promises \u2014 data leaks after a ransom was paid to avoid such an outcome or follow-on extortion demands, she said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Indeed, cybercriminals consistently pull new threads to amplify the pressure they place on victims. This includes elements of physical extortion wherein ransomware groups call and threaten executives, claiming they know where the executives\u2019 kids go to school, where they live and how they get to work, said Flashpoint CEO Jeff Lefkowitz.<\/p>\n<p>These threats put business leaders in precarious, unexpected positions that challenge their preconceived notions about how they\u2019d respond to a cyberattack, Lefkowitz said. <\/p>\n<p>Ransomware negotiation requires practitioners to navigate between doing what\u2019s necessary and what\u2019s right, DiMaggio said. \u201cThe key is to treat every negotiation as a crisis with human consequences, not just a transaction.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-negotiators-reflect-on-previous-cases\">Negotiators reflect on previous cases<\/h4>\n<p>Ransomware negotiators tend to run through common checklists based on patterns they\u2019ve experienced, but each incident is unique and requires some level of improvisation. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Matt Dowling, senior director of digital forensic and incident response at Surefire Cyber, said ransomware operators, on the whole, are more trustworthy now than when he first got involved in negotiations in 2019. The practice, he said, has also improved because threat intelligence is more useful, making negotiations a data- driven effort.<\/p>\n<p>Dowling separates ransomware operators into two groups: named and unnamed. Named groups are more trustworthy because they have a reputation to uphold, while unnamed groups are more likely to re-extort victims and deviate from the standards of ransomware negotiation, such as not providing proof of their claims.<\/p>\n<p>Still, he said, most payments result in positive outcomes for the victims. The lowest payment Dowling has facilitated came in around $6,000, and the largest was about $8 million, he said. <\/p>\n<p>Some negotiations end abruptly without further incident. These cases typically involve charities or non-profits, according to Minder.<\/p>\n<p>One case he worked on involved a charity that provided free screenings for breast cancer. In that incident, he simply asked the attackers: \u201cWhy are you doing this? These people don\u2019t have any extra money.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The attackers walked away after the organization agreed to pay a $5,000 ransom to cover what the ransomware group claimed amounted to costs it incurred to conduct the attack \u2014 a significant discount from their initial demand of $2 million.<\/p>\n<p>When cases involving data extortion come to a close, negotiators will ask for proof the data was deleted, which is impossible to confirm. Some attackers, who are especially proud of their work will provide detailed reports about how they gained access \u2014 information that helps the victim and incident responders understand how and what occurred. <\/p>\n<p>Experts said the number of people involved in ransomware negotiations can be quite large when lawyers, insurance providers and law enforcement is involved. The duration of these back-and-forth compromises can last for a couple hours or up to three months.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-tactics-define-process-for-negotiation\">Tactics define process for negotiation<\/h4>\n<p>Negotiators also employ generally similar strategies to achieve their client\u2019s objectives at the lowest possible payment.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Threat intelligence on ransomware groups can guide negotiators toward a more gentle or aggressive approach, but in all cases \u201cthe threat actor, at the outset, has all the leverage,\u201d Dowling said. <\/p>\n<p>\u201cThe leverage that you have is the threat actor wants to get paid. The only way they\u2019re going to get paid is if you come to an agreement,\u201d he added. <\/p>\n<p>Every ransomware negotiator CyberScoop spoke with remarked on the importance of delay. \u201cTime is always our friend,\u201d Cookson said. \u201cEvery day that passes after the initial incident is an opportunity for us to get more visibility so that they can make those decisions with a lot more confidence and make those decisions based on actual data, not based on fear and emotion.\u201d<\/p>\n<p>Initial outreach from negotiators working on behalf of a victim should be short and simple, allowing attackers to do most of the talking up front, Minder said. Negotiators should also avoid discussion of any financial numbers or positional bargaining as long as possible, he said.<\/p>\n<p>Cursing or adopting combative language is a hard no-no for Minder as well. \u201cThere are ways to convey disappointment in the messages that aren\u2019t fighting words,\u201d he said. \u201cThey\u2019re humans. They have egos, so you have to keep that in mind.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Delay tactics are designed to get the attackers to question their own demand before the negotiator ever puts a number in writing, Minder said. <\/p>\n<p>Moreover, it\u2019s not just about the money \u2014 ransomware operators are seeking validation, and a sense that they\u2019re in control and winning, he said.<\/p>\n<p>The worst outcomes involve victims that rush to make a payment, assuming that will make all the pain go away, Cookson said. <\/p>\n<h4 class=\"wp-block-heading\" id=\"h-financial-incentives-present-ethical-challenges\">Financial incentives present ethical challenges<\/h4>\n<p>Ransomware is a thriving criminal enterprise, amounting to a <a href=\"https:\/\/cyberscoop.com\/ransomware-payments-decline-2024-fincen\/\">combined $2.1 billion in payments<\/a> during the three-year period ending in December 2024 and about 3,000 total attacks in 2023 and 2024, according to the Treasury Department\u2019s Financial Crimes Enforcement Network.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Businesses, of course, see opportunity in all of that activity and boutique firms have assembled teams to support victim organizations by engaging in ransomware negotiations on their behalf in the wake of attacks. <\/p>\n<p>This ancillary industry fosters additional ethical challenges, especially when there\u2019s a built-in financial incentive for ransomware negotiations to occur and, in some cases, result in payments.<\/p>\n<p>A general lack of transparency in billing puts the practices of some of these firms under heavier scrutiny. Some firms charge a flat fee or hourly rate, while others use a contingency model based on the percentage of the ransom reduction they\u2019re able to achieve, DiMaggio said. <\/p>\n<p>\u201cIt\u2019s not the norm across the industry, but it happens, and it introduces a clear conflict of interest,\u201d he added. \u201cWhen a negotiator\u2019s income depends on the ransom outcome, it blurs the line between representing the victim and profiting from the crime.\u201d<\/p>\n<p>While some ransomware negotiation providers do, indeed, charge a small percentage off the ransom payment, victim organizations should avoid hiring any firm that employs that model, Elovitz said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cIf you\u2019re making a percentage of the payment, then at least there\u2019s some financial incentive to not negotiate it down as far as you might otherwise,\u201d he added. <\/p>\n<p>DiMaggio would like to see more clarity around how service providers set prices for ransomware negotiation. Absent that, he said, \u201cthe industry will keep living in a moral gray zone, one where good intentions can unintentionally sustain the very ecosystem we\u2019re trying to dismantle.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-rules-of-engagement-don-t-apply\">Rules of engagement don\u2019t apply<\/h4>\n<p>Ransomware negotiation remains an ill-defined, largely unrestricted practice, absent any collective industrywide agreement on rules of engagement.<\/p>\n<p>Any effort to define rules upon which the industry can coalesce could potentially pit competitors against one another, leaving room for those more willing to bend the norms an opportunity to win business by providing less scrupulous services.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Negotiators are effectively unfettered once they ensure they\u2019re not breaking any laws by engaging with or sending money to sanctioned criminals.<\/p>\n<p>Still, there\u2019s an unmet need for checks and balances, oversight, transparency and a standardized set of rules for negotiators to follow without crossing any professional or personal lines. <\/p>\n<p>Part of the challenge with external oversight lies in the act of negotiation, an art that requires intermediaries to build limited trust with attackers spanning conversations that may not play well in the public sphere, Elovitz said. <\/p>\n<p>\u201cPutting that under a microscope could inhibit the good guys more than the bad,\u201d he said. Payments themselves, however, could benefit from more scrutiny, Elovitz added. <\/p>\n<p>Clarity in purpose should prevail above all of these factors. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Protecting victims without empowering criminals is the first principle of ransomware negotiation, but that balance can\u2019t be managed in the dark, DiMaggio said. <\/p>\n<p>\u201cI\u2019ve seen firsthand how the lack of oversight allows abuse from both sides of the table,\u201d he said.<\/p>\n<p>To prevent manipulation, DiMaggio called for a standardized framework, vetted negotiators, recorded and auditable communications and anonymized after-action reviews.<\/p>\n<p>\u201cWithout accountability, the victims end up paying twice,\u201d he said. \u201cOnce to the criminals, and again to the people who claim to save them.\u201d<\/p>\n<p>The scars from years spent as a ransomware negotiator brought Minder back to where his intuition was before he ever got involved. \u201cI don\u2019t believe this should be a business. I say that having been paid to do this,\u201d he said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cIt\u2019s almost like a parasitic industry,\u201d Minder said. \u201cYou\u2019re profiting from victims.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"2.9403815580286\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/the-thin-line-between-saving-a-company-and-funding-a-crime-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/ransomware-negotiation-pitfalls-moral-gray-zone\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The thin line between saving a company and funding a<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4725,5829,2350,282,78,1583,323,5628,3911,387,5830,281,684,646,715,46,5690,5831,288,509,183,5242,5832],"tags":[4729,5833,2354,286,86,1587,327,5629,3915,391,5834,285,689,650,720,54,5691,5835,294,511,207,5244,5836],"class_list":["post-8276","post","type-post","status-publish","format-standard","hentry","category-bitdefender","category-coveware","category-crowdstrike","category-cybercrime","category-cybersecurity","category-encryption","category-extortion","category-fincen","category-flashpoint","category-google","category-groupsense","category-hacking","category-halcyon","category-mandiant","category-palo-alto-networks","category-ransomware","category-ransomware-negotiation","category-surefire-cyber","category-threats","category-treasury-department","category-unit-42","category-veeam","category-xfil-cyber","tag-bitdefender","tag-coveware","tag-crowdstrike","tag-cybercrime","tag-cybersecurity","tag-encryption","tag-extortion","tag-fincen","tag-flashpoint","tag-google","tag-groupsense","tag-hacking","tag-halcyon","tag-mandiant","tag-palo-alto-networks","tag-ransomware","tag-ransomware-negotiation","tag-surefire-cyber","tag-threats","tag-treasury-department","tag-unit-42","tag-veeam","tag-xfil-cyber"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bitdefender\/\" rel=\"category tag\">Bitdefender<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/coveware\/\" rel=\"category tag\">Coveware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crowdstrike\/\" rel=\"category tag\">CrowdStrike<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/encryption\/\" rel=\"category tag\">encryption<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fincen\/\" rel=\"category tag\">FinCEN<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/flashpoint\/\" rel=\"category tag\">Flashpoint<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/groupsense\/\" rel=\"category tag\">GroupSense<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/halcyon\/\" rel=\"category tag\">Halcyon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/palo-alto-networks\/\" rel=\"category tag\">Palo Alto Networks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware-negotiation\/\" rel=\"category tag\">ransomware negotiation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/surefire-cyber\/\" rel=\"category tag\">Surefire Cyber<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/treasury-department\/\" rel=\"category tag\">Treasury Department<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unit-42\/\" rel=\"category tag\">Unit 42<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/veeam\/\" rel=\"category tag\">Veeam<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/xfil-cyber\/\" rel=\"category tag\">XFIL Cyber<\/a>","tag_info":"XFIL Cyber","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8276"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8276\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8276,"date":"2026-01-21T05:00:00","date_gmt":"2026-01-21T11:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87487"},"modified":"2026-01-21T05:00:00","modified_gmt":"2026-01-21T11:00:00","slug":"the-thin-line-between-saving-a-company-and-funding-a-crime","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/21\/the-thin-line-between-saving-a-company-and-funding-a-crime\/","title":{"rendered":"The thin line between saving a company and funding a crime"},"content":{"rendered":"