Blueprint: Build the Best in Cyber Defense

The 2 AM Call: A Ransomware Negotiator's Playbook with Wade Gettle

Feb 9, 2026

Wade Gettle, a senior advisor at Flashpoint and Cyber Mission Planner for the NY Army National Guard, brings intelligence and incident-response experience to high-stakes ransomware talks. He reveals what happens in the first 72 hours, how attackers manufacture urgency, why validation and buying time matter, common entry points like third-party breaches, and practical prep: tabletops, SOC deliverables, and training tools.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Payments Are Less Common, Small Buys Persist

Payments are now rare for large incidents; most organizations avoid paying large ransoms.
Organizations often buy back small credential dumps to prevent wider abuse.

ADVICE

Pay Only As Last Resort

Do consider payment only when backups are destroyed and business continuity is impossible.
Do weigh proprietary, life-or-death, or regulatory-sensitive data heavily in that decision.

INSIGHT

Doxing Is A Psychological Weapon

Threat actors use doxxing and social pressure to intimidate executives but rare follow-through exists.
Organizations still need executive protection and social media hygiene after incidents.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

What happens after you discover ransomware? You have to talk to the attackers. And that conversation can make or break your entire response.

In this episode, Wade Gettle, a professional ransomware negotiator, pulls back the curtain on the high-stakes world of threat actor negotiations. Wade is the person who gets the call at 2 AM when organizations are facing their worst moment, and he's handled negotiations across every scenario imaginable.

You'll learn:

What actually happens in the first 72 hours of a ransomware incident
The psychological tactics threat actors use to manufacture urgency and pressure
Why those 24-hour deadlines aren't real—and how to buy yourself time
How threat actors research your financials, insurance policies, and supply chain before making contact
When data validation saves companies from paying ransoms for data that isn't even theirs
The real cost of ransomware (spoiler: it's 10x the ransom amount)
Why paying doesn't guarantee your data back—or that you won't get hit again
Third-party breaches: the biggest risk vector right now

Key takeaway: Ransomware negotiations are psychological warfare disguised as business transactions. The best defense is being more prepared than the attackers expect you to be.

Resources mentioned in this episode:

ransomware.live (ransomware group tracking, info, conversations and more)
ransomlook.io (ransomware group tracking and statistics)
ChatGPT Ransomware Negotiation Simulator: https://chatgpt.com/g/g-679a6253574c8191a998145044b9c651-ransomsim-ransomware-negotiation-trainer
Wade Gettle on LinkedIn: https://www.linkedin.com/in/wade-gettle-7733704a/

About the guest: Wade Gettle is a Senior Advisor at Flashpoint and serves as a Cyber Mission Planner for the New York Army National Guard. With a background in intelligence analysis, incident response, and threat intelligence, Wade brings calm to the storm when organizations face their most critical security incidents.

Contact, Courses, and More:

For feedback, reviews, guest pitches, or to get in contact with me for any other reason, head to blueprintpodcast.live!

Check out John's SOC Training Courses for SOC Analysts and Leaders:

Follow and Connect with John: LinkedIn