Top business and economy news from Hong Kong
Provided by AGP
NordStellar research reveals ransomware's manipulative sales pitch: Threats, discounts, and "security audits"
Findings from leaked ransomware negotiations expose upselling practices, special discounts, and manipulation tactics used by threat actors
NEW YORK, May 21, 2026 (GLOBE NEWSWIRE) -- The latest findings from NordStellar, a threat exposure management platform, reveal that ransomware attacks remain a persistent threat, and the number of attacks remains high in Q1 2026. An analysis of leaked ransomware negotiations reveals a manipulative sales playbook where attackers threaten to leak data in 76% of cases while also offering discounts (45.5%) and upselling services like “security audits.”
According to findings from NordStellar, 2,283 ransomware incidents were reported during January-March of 2026. The number marks a 21.5% decrease from 2,910 incidents recorded in Q4 2025, which set a two-year record for the highest number of attacks.
Compared with Q1 2025 — when the Cl0P Leaks group re-emerged and the number of attacks reached 2,498 — Q1 2026 slowed down by only 8.6%
“Ransomware activity surged in Q4 2025, most likely due to attackers exploiting end-of-year cybersecurity gaps caused by reduced human resources in organizations,” says Vakaris Noreika, cybersecurity expert at NordStellar. “In Q1 2026, established ransomware groups like Sinobi and Cl0p Leaks experienced a sharp decline, most likely due to law enforcement operations. However, other actors filled the gap, notably the Gentlemen group, which was quiet last quarter but is now the second‑most active ransomware group this year so far.”
Q1 2026 ransomware trends mirror the tendencies observed in 2025: Small and medium-sized businesses (SMBs) with up to 200 employees and revenues up to $25 million were the most affected.
Attackers continued to zone in on manufacturing companies based in the US. To read the full ransomware Q1 2026 report, visit here.
Breaking down ransomware negotiations: Tactics, discounts, and upselling
NordStellar analyzed 246 unique leaked conversations between ransomware groups and victim companies from 2020 to 2026. As many as 25.6% of the analyzed negotiations ended in companies paying the ransom demands, and the median discount in those payments was 57%, with the highest recorded discount reaching as high as 96.2%.
“Attackers often have a ‘discount phase’ early on — they’ll drop the initial price by 25-67% if companies engage quickly,” says Mantas Sabeckis, a senior threat intelligence researcher at Nord Security, a global cybersecurity powerhouse. “This is a sales tactic. It’s recommended to negotiate the price, even if the company is able to pay the full amount.”
Sabeckis notes that ransomware actors also try to upsell their services. In 16.3% of the analyzed negotiations, attackers offered victims “all services included” bundled packages, often containing data decryption and deletion.
In 21.6% of the conversations, ransomware actors offered to sell the data decryption tool separately, multiple pricing tiers containing different services were proposed in 8.6% of cases, and 7.3% of conversations contained offers to purchase a “security audit/report.” In 3.7% of the conversations, the attackers charged more for extending the negotiation time, and in 16.7% of all conversations, they offered data removal as a separate purchase.
“Even though the promise of data deletion appears often, there’s no way for companies to actually verify deletion,” explains Sabeckis. “I’d advise companies to tread carefully and take these statements with a huge grain of salt — ransomware actors are skilled manipulators.”
The analysis also revealed the most common tactics ransomware groups use in negotiations — 76.8% of the conversations contained threats to publish or leak the data. Other common denominators include offering proof of data (55.3%), special price offers (45.5%), threats to inform the media (43.5%), and putting additional pressure on the deadline (41.9%).
Less common tactics include threatening the victim with violating GDPR compliance (17.9%) and threats to increase the price of the demands (7.3%).
“It’s important to note that the attacker’s deadline is almost never real. They want the money — they won’t walk away on the first day,” says Sabeckis.
The company’s been hit by ransomware: What happens?
When ransomware attackers deploy a successful attack, the company will notice that something’s wrong — files won’t open, or the systems might be down. And there’s usually a message demanding payment.
“The first key step is not to panic — every minute of confusion is a minute of downtime. The clock starts now,” says Noreika. “It’s recommended to not turn off the systems — isolate them from the network, instead, because pulling the plug may destroy forensic evidence. Inspect the ransomware note and document the content, call an incident response firm, and contact a cybersecurity insurance provider immediately — many policies cover incident response, but they may require early notification.”
According to Noreika, investigating the incident is a vital step. The company should analyze what systems were affected, if backups are still intact and usable, if any data has been stolen and not just encrypted, and whether the attack has stopped or is still active, and then they should try to identify the threat actor.
“These steps should be taken alongside the negotiations process,” explains Noreika. “Negotiations buy companies time and allow them to ask for proof of data, which helps to validate the threat.”
He notes that while all cases are different, industry best practices and the analysis of leaked ransomware negotiations suggest several considerations that companies may want to explore when negotiating with attackers:
- In-house IT teams are not equipped to handle ransomware attacks and negotiations. They can handle malware removal, but incident response teams handle crises. Ransomware groups are professional manipulators, and professional ransomware negotiators know their tactics and how to navigate them.
- Slow responses buy time, but complete silence can result in quick escalation. Ask clarifying questions and say you need to consult with leadership and the legal team to buy more time, but avoid resorting to radio silence. If the company is unresponsive, cybercriminals are more likely to ramp up the pressure by leaking a sample of the data, contacting the media or customers, or exposing the information altogether.
- Not all threats are real. Request proof-of-life by asking the attackers to decrypt a couple of small files to prove that they have a decryptor or request a data sample if they’re claiming to have exfiltrated the data to confirm what they actually have. Cross-referencing their claims with the findings of the incident response team will help to verify or rebut the threat.
- Mentioning law enforcement involvement or cybersecurity insurance providers could actually backfire. Openly disclosing law enforcement involvement might cause the ransomware group to retaliate by increasing the ransom, shortening deadlines, or destroying data to increase pressure for a quick payment. Being upfront about having cybersecurity insurance can be a costly mistake because attackers might take this as an opportunity to increase their demands, knowing a larger payout is possible.
Methodology
NordStellar continuously monitors over 200 blogs run by ransomware groups. Analyzing the listings published by attackers, NordStellar discovered 2,283 ransomware attacks during January-March, 2026. The full methodology can be found in the report, located here: https://nordstellar.com/blog/ransomware-statistics/.
For its ransomware negotiation analysis, NordStellar examined leaked negotiation transcripts from 2020 to 2026, identifying 246 unique exchanges between threat actors and victim organizations. The analysis maps attacker tactics, victim communication patterns, services offered by attackers, and the structure and mechanics of ransom payment demands. The full methodology can be found in the report, located here: https://nordstellar.com/ransomware-negotiation-report/.
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that helps companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a global cybersecurity powerhouse behind one of the world's most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.
Legal Disclaimer
This report is for informational purposes only and does not constitute legal, financial, or cybersecurity advice. The information is provided “as is,” and Nord Security makes no representations or warranties regarding its accuracy, completeness, or timeliness.
Nord Security does not endorse, recommend, or encourage accessing any ransomware groups, threat actors, or engaging in any illegal or criminal activity.
Any reliance on this report is at your own risk. Nord Security, its affiliates, and its authors disclaim all liability for any actions taken or not taken, or for any losses or damages incurred, based on its contents.
Inga Vaitkeviciute
inga@nordsec.com
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
