As ransomware attacks increase, more companies are seeking specialist negotiators who deal directly with hackers.
The Financial Times reported on Saturday that demand is rising for ransomware negotiators held by major security companies such as Palo Alto Networks and Sophos, as cyber attacks targeting large corporations worldwide surge.
The FT reported this, citing sources familiar with internal matters.
Dan Saunders (댄 사운더스), incident response director at Quorum Cyber, said the negotiator’s role has three parts: buying time, helping executives make decisions and collecting information to identify attackers.
He said, “Taking part in negotiations does not necessarily mean you have to pay money.”
Negotiators use tactics such as posing as a junior IT staffer or slowing the pace by sending only 1 or 2 messages a day. One negotiator at Sophos said, “It is closer to a delicate dance than a negotiation,” adding, “If you make a mistake, you can cause serious damage to the client.”
Negotiations last from 3 days to 3 weeks. They take place through dark web portals, email and the encrypted messenger TOX.chat.
Sophos said cyber criminals typically demand about 1 to 2 percent of a victim company’s annual revenue. Negotiators seek to reduce the ransom while also tracing IP addresses and cryptocurrency wallets to identify the other side. Many negotiators are former law enforcement officials and use skills learned in previous roles.
Don Wiper (돈 와이퍼) of Digital Mint said, “Cyber criminals often behave in a young and immature way,” adding, “They are often in their early teens or early 20s. There was also a hacker who sent a cake with a thank-you note after receiving the ransom.”
Experts stress that companies must conduct a legal review before paying a ransom to determine whether it would violate international sanctions. Jonathan Kewley (조너선 큐리), a partner at Clifford Chance, said, “The process of checking whether you are violating sanctions rules is very complex and difficult.”
Another problem is that paying a ransom does not guarantee the hackers will keep their promise.
A Sophos ransomware report said the share of cyber attacks in which a ransom was paid fell to less than half in 2025, down from 56 percent in 2024. It attributed the decline to increased use of professional negotiators and the spread of preventive measures such as data backups.
