Ransomware Response Guide: Negotiation & Recovery [2025]

1 Technical Containment

Isolate, Don't Destroy

Sever the connection between the infected VLAN and the rest of the network. Do not shut down the machine unless encryption is actively running and CPU usage is 100%.

Preserve Evidence

Take a snapshot of the memory (RAM) if possible. This is often where the encryption key resides. Forensic firms need this to determine how they got in.

Disable User Accounts

Assume Active Directory is compromised. Reset the krbtgt account password twice (to invalidate all Kerberos tickets) and disable all Domain Admin accounts.

Check Backups

Physically disconnect your backups immediately. Attackers often wait to detonate ransomware until after they have deleted or encrypted your backups.

2 The Decision: To Pay or Not to Pay?

This is a business decision, not just a technical one. Use this decision matrix to evaluate your position.

Factor	Lean Towards: DON'T PAY	Lean Towards: PAY
Backups	Backups are immutable, tested, and offline.	Backups are encrypted, deleted, or corrupt.
Data Exfiltration	Logs show no data left the network.	Sensitive PII/IP was stolen (Double Extortion).
Downtime Cost	Can operate manually for 2-3 weeks.	Cost of downtime > Cost of ransom + legal risk.
Attacker Reputation	Known to take money and run (e.g., some splinter groups).	"Professional" group known to honor agreements.

3 Negotiation Scripts

If you must engage, never use your real email. Use a burner ProtonMail account. Do not show anger. Treat it as a business transaction.

Script 1: Initial Contact (Stalling)

"We have received your message. We are currently assessing the situation to understand what files are affected. We are a small team and need time to review the logs. We will respond within 24 hours."

Goal: Buy time for your team to assess backups without angering the attacker.

Script 2: Proof of Life (Verification)

"Before we can discuss any payment, we need proof that you can actually decrypt our files. Please decrypt the attached 3 files. Note: These files have no commercial value but are critical for our system configuration."

Goal: Verify they have the key. Send benign files (e.g., a random DLL or logo), never sensitive data.

Script 3: The Lowball (If Paying)

"Management has authorized a maximum payment of $X [10-15% of demand]. We are a non-profit/struggling business and simply do not have the funds you are asking for. If this is not acceptable, we will be forced to declare bankruptcy and nobody gets paid."

Goal: Anchor the negotiation low. Attackers prefer a small payout over $0.

Frequently Asked Questions

Should I pay the ransomware demand?

The FBI and most security experts advise against paying. However, business reality is complex. You should only consider paying if: 1) You have no viable backups, 2) The data loss would destroy the business, AND 3) You have verified (via proof of life) that the attacker can actually decrypt the data.

Is it illegal to pay ransomware?

In the US, it is not strictly illegal to pay, but the OFAC (Office of Foreign Assets Control) can fine companies that pay sanctioned entities (e.g., Russian state-sponsored groups like Evil Corp). You must check the wallet address against sanctions lists before paying.

How long does ransomware recovery take?

Full recovery typically takes 3-4 weeks. Even with a decryptor key, the process is slow and prone to errors. Rebuilding from backups is often faster than decrypting large datasets.