Threat Vector – Inside Ransomware Negotiations: Trust Criminals or Walk Away?

Podcast: Threat Vector by Palo Alto Networks
Episode Title: Inside Ransomware Negotiations: Trust Criminals or Walk Away?
Date: March 19, 2026
Host: David Moulton
Guest: Jeremy D. Brown, Consulting Director, Palo Alto Networks Unit 42

Episode Overview

In this episode, host David Moulton welcomes Jeremy D. Brown—an expert in ransomware incident response and negotiation—to dig deep into the world of ransomware negotiations. They dissect the process of engaging with cybercriminals, best practices for organizations under attack, legal and ethical considerations, changes in ransomware tactics, and how leaders can better prepare for inevitable “worst day” scenarios.

Key Discussion Points & Insights

1. Getting into Threat Actor Negotiation

[02:32–03:23]

• Jeremy describes his transition from the public sector, where negotiation with attackers was off-limits, to the private sector where it’s a reality.
• His initial intrigue came from the ability to communicate directly with cybercriminals, learning from experienced negotiators and responding to numerous ransomware cases.

"It always intrigued me to talk to these cyber criminals...learning from one of the best at the time, and basically I've never looked back since."
—Jeremy D. Brown [02:44]

2. Nature of Incident Response Work

[03:23–04:22]

• Each case presents new challenges, requiring continual learning and rapid adaptation to threat actors’ tactics.
• The unpredictability of the job keeps Jeremy engaged and “never bored.”

"Every single matter that we work, it's different, even if it's against the same ransomware group...You always have to learn something new every day."
—Jeremy D. Brown [03:32]

3. What Is Threat Actor Negotiation?

[04:32–05:43]

• Differentiates between communication (gathering forensic info, stalling, understanding threats) and negotiation (actually bargaining over ransom payment).
• Contacting the criminal isn’t the same as agreeing to pay.

"There is a difference between threat actor communications versus threat actor negotiations."
—Jeremy D. Brown [04:44]

4. Extracting Intelligence from Attackers

[05:43–06:28]

• Through negotiation, responders can learn critical details, such as data exfiltration paths, sometimes unwittingly revealed by the attacker’s “monologuing.”

"Sometimes the more you end up talking to a threat actor, the more they give away a key detail."
—David Moulton [05:43]

5. Threat Actor Playbooks and Ransomware-as-a-Service

[06:28–07:49]

• Most ransomware operations follow repeatable patterns; some (like Akira) are predictable, while others are unpredictable “wild cards.”
• Groups view themselves as businesses with operational hierarchies.

"These cyber criminal rings, they operate as a business...they have the hackers, the bosses, and then the operators..."
—Jeremy D. Brown [07:26]

6. Preparation for Negotiation

[07:49–08:59]

• Preparation starts with executive advisors guiding leadership and legal teams through expected steps, emphasizing communication, transparency, and strategic planning to minimize harm.

7. Importance of Tabletop Exercises

[08:59–09:42]

• Simulation is recommended for preparedness—even for large organizations—so real negotiations aren’t the first exposure for decision-makers.

"Tabletop exercises for a FOAP threat actor. Negotiation is a thing and we recommend things like that for large organizations or any organization, really, from a proactive standpoint..."
—Jeremy D. Brown [09:26]

8. Who Is Involved Internally in Negotiations

[10:35–11:39]

• The circle tightens to just the executive leadership, outside and general counsel, and select experts, not the broader IT staff.

"You want to keep that information really tight in a tight circle...to keep it...more of a tighter circle, if that makes sense."
—Jeremy D. Brown [11:15]

9. Common Misconceptions in Ransomware Negotiations

[11:39–12:47]

• Biggest myth: reaching out to attackers means payment is guaranteed. In reality, communication is often only for information gathering and delay tactics.

"Just because we reach out to these threat actors does not mean you're making a payment."
—Jeremy D. Brown [12:05]

10. The Evolution of Ransomware Tactics

[13:19–14:58]

• Rise of double extortion (encrypting data and exfiltrating sensitive records); sometimes reverting to single extortion (exfiltration without encryption).
• Tactics constantly shift, requiring nimble responses.

"The double extortion really began to rise, you know, right around the COVID time...Interestingly enough, we're starting to see more single extortion again." —Jeremy D. Brown [13:36]

11. Impact of Attack Tactics on Negotiation Strategy

[15:06–16:16]

• Tactics don’t always affect urgency; often, the data’s value determines whether an organization should negotiate or walk away.

"Every one of these are different, and I mean different...it's really on the client's shoulders of, is this data valuable? Is it not?"
—Jeremy D. Brown [16:01]

12. Red Lines Not to Cross

[16:16–17:05]

• Never appear desperate—hurts negotiation leverage.
• Never antagonize or insult threat actors. Empathy and politeness yield more information.

"We get more out of these threat actors in the negotiations and communications by being empathetic, sympathetic and apologetic and very polite."
—Jeremy D. Brown [16:57]

13. Timing: When to Engage and When to Walk

[17:05–18:41]

• Negotiations typically start 3–5 days post-incident unless immediate contact is necessary (e.g., all backups deleted).
• Sometimes, if solid backups and no sensitive data are present, the best strategy is to "walk away."

14. Can You Trust Ransomware Attackers?

[18:41–20:45]

• Most criminal groups uphold bargains—delivering decryption tools/data—because failure damages their “business reputation.”
• Some groups are known not to honor deals (e.g., sanctioned entities), and payment is never recommended there.

"If they do things like that, people won't pay...there are groups that we know that I will not recommend to pay. Card is one of them...Wasted Locker is another."
—Jeremy D. Brown [19:54]

15. Assessing Attacker Credibility

[20:45–22:01]

• No specific tool—assess via experience, internal and external metrics, and anti-money laundering/sanctions checks on payment wallets.

16. Legal and Ethical Considerations

[22:01–23:24]

• Weighing ethics (funding criminals, reputational risk) and legalities (possible lawsuits or regulatory scrutiny).
• Legal counsel guides organizations through these decisions.

"...working with good outside counsel firms, we're really good at walking the customer through each of those considerations..."
—Jeremy D. Brown [22:59]

17. Due Diligence and Compliance

[23:15–24:14]

• Payments only made post AML/OFAC checks to ensure compliance with sanctions and prevent illegal transactions—some groups (e.g., SamSam, Wasted Locker) cannot be paid.

18. How Leaders Can Prepare

[24:14–25:46]

• Three steps:
  • Know your critical data—what’s truly valuable/sensitive.
  • Identify in advance who will be part of the response and negotiation process.
  • Conduct tabletop exercises to practice responses and decision-making.

"Knowing the key players that would be involved in this is also critical. And then number three, going through a tabletop exercise...just so you kind of have you get your toes wet a little bit in case it ever happens."
—Jeremy D. Brown [24:42]

Notable Quotes & Memorable Moments

• "Do not contact a threat actor on your own. Do not talk nasty to them. Adverse things will happen. Engage a professional negotiator that has done this many times."
  —Jeremy D. Brown [00:26]

• "We get more out of these threat actors...by being empathetic, sympathetic, and apologetic and very polite."
  —Jeremy D. Brown [16:57]

• "Most of these cyber criminal rings...do live up to the negotiations...if they don't...nobody's going to pay them in this industry."
  —Jeremy D. Brown [19:18]

• "Tabletop exercises for a FOAP threat actor. Negotiation is a thing and we recommend things like that for large organizations..."
  —Jeremy D. Brown [09:26]

Important Timestamps

• [00:26] – Opening warning: Don’t engage threat actors solo.
• [02:44] – Jeremy’s origin story in ransomware negotiations.
• [04:44] – Difference between initial communication and negotiation.
• [06:28] – Observations on ransomware group “playbooks”.
• [09:26] – On negotiating tabletop exercises for preparedness.
• [12:05] – Top misconception: Contacting attackers = automatic payment.
• [13:36] – Explaining double extortion and evolving tactics.
• [16:16] – Do’s and don’ts: never show desperation or get hostile.
• [18:41] – On credibility: Can ransomware actors be trusted?
• [22:19] – Ethical & legal dilemmas in ransom negotiation/payment.
• [24:42] – Top three leadership actions for negotiation readiness.

Final Insights

Jeremy and David demystify the tense world of ransomware negotiations, stressing preparedness, professionalism, and the critical value of expert guidance. Organizations are urged to practice—before an attack—identifying what data is sensitive, who’s in charge during a crisis, and rehearsing negotiation scenarios. Despite dealing with criminals, most threat actors act in consistent patterns—and professionals like Jeremy are essential guides during high-stakes incidents.

For more info or to connect with Jeremy, check out his work via Unit 42’s blogs or reach him on LinkedIn.