Inside Ransomware Negotiations: Trust Criminals or Walk Away?

Mar 19, 2026

Jeremy D. Brown, Consulting Director at Unit 42 with extensive ransomware negotiation and incident response experience. He recounts how initial contact yields forensic clues and which attacker playbooks are most common. He explains timing, who should be at the table, why politeness helps, and which groups are too risky or sanctioned to engage.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

From Public Sector Rules To Private Sector Negotiator

Jeremy D. Brown transitioned from public sector where negotiation was taboo to private sector where he learned to negotiate with criminals.
He trained under a skilled mentor at Cripsis and pursued negotiations as a unique, recurring challenge.

ADVICE

Engage Attackers Through Professionals To Gather Intel

Do engage threat actors through professionals to gather forensic intelligence without committing to payment.
Jeremy D. Brown uses early contact to obtain file listings and indicators so clients can assess data in play and notification obligations.

ADVICE

Brief Executives With A Seasoned Negotiation Lead First

Use experienced negotiation leads to brief leadership and counsel on expectations before contacting attackers.
Jeremy D. Brown acts as executive advisor to explain threat actor playbooks, communications, and likely outcomes to calm the victim organization.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

What happens when you're face-to-face with a ransomware gang demanding millions—and every decision could determine whether your company survives?

Jeremy D. Brown, Consulting Director at Palo Alto Networks Unit 42 with nearly seven years negotiating with cyber criminals, reveals the hidden world of ransomware negotiations. With hundreds of negotiations under his belt, Jeremy knows which groups honor their promises, which ones to never pay, and exactly what mistakes can cost you everything.

You'll learn:

- Why contacting a threat actor doesn't mean you have to pay (the #1 misconception that paralyzes victims)

- How to extract critical forensic intelligence from attackers during initial contact

- The fatal mistakes organizations make that destroy their negotiation leverage

- Which ransomware groups are sanctioned entities that will land you in legal trouble if you pay

- Why being polite to criminals actually gets you better outcomes than hostility

Jeremy has negotiated with everyone from aggressive groups who email your executives to methodical operators following strict playbooks. He's seen organizations with backups walk away and others pay millions for decryption keys. Managing over 100 incidents, Jeremy has tracked how double extortion evolved from rare to standard practice, and now watches single extortion (data theft without encryption) surge again.

This episode is essential for CISOs who need a negotiation plan before the crisis hits, incident responders building their skillset, and executives who must understand that ransomware response is about far more than just paying or not paying. #IncidentResponse #Ransomware

Related Episodes:

- Mastering the Basics: Cyber Hygiene and Risk Management

- Crisis in the Kitchen

About Threat Vector

Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends.

The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers.

Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization.

Palo Alto Networks

Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile.⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠http://paloaltonetworks.com.⁠