'This is a sales tactic': Experts warn ransomware hackers will often lower their prices - with some giving discounts up to 96%

News
By published

Ransomware actors use a whole range of different tactics

Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration
(Image credit: Shutterstock)
  • NordStellar finds many ransomware negotiations go unpaid, usually at steep discounts (median 57%, max 96.2%)
  • Attackers used varied tactics: bundling “services,” offering fake security audits, proof of data, press threats, GDPR violations, and price manipulation
  • Leaking stolen files remained the dominant pressure tactic (76.8%), but deadlines were often bluffs designed to push victims into paying

While threatening to leak stolen data is still the most effective negotiation strategy in ransomware attacks, it’s not the only one, as new research from NordStellar has found cybercriminals employ a whole range of tactics, from significant discounts, to providing “security audits and reports” to the victims.

The company recently analyzed 246 leaked conversations between ransomware groups and victim companies that took place between 2020 and 2026.

A quarter (25.6%) ended up paying, but the vast majority of those did not pay the asking price. The median discount in those payments was 57%, while the highest recorded discount was 96.2%.

Latest Videos From

Bundled services, upselling, and more

The report found crooks often start their negotiation with a sales tactic - respond quickly, and the price drops 25-67% immediately. Stall, and the price rises.

Then, they will split their “services”: decrypting the files being one and deleting the stolen documents the other. In around 16% of cases, the attackers offered victims “all services included” bundle packages, while in 21%, they tried to sell these services separately.

“Even though the promise of data deletion appears often, there’s no way for companies to actually verify deletion,” said Mantas Sabeckis, a senior threat intelligence researcher at Nord Security.

“I’d advise companies to tread carefully and take these statements with a huge grain of salt — ransomware actors are skilled manipulators.”

Funnily enough, in 7.3% of the conversations, the attackers offered their victims a “security audit/report”, as if they were cybersecurity professionals, not lowly criminals.

Threatening to leak the stolen files is by far the most common tactic, used in 76.8% of all analyzed conversations. Other common tactics include providing proof of data (55.3%), special price offers (45.5%) or threatening to go to the press (43.5%). NordStellar has also seen threats of GDPR compliance violations (17.9%) and threats of increasing prices (7.3%).

“It’s important to note that the attacker’s deadline is almost never real. They want the money — they won’t walk away on the first day,” Sabeckis concluded.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.