Frequently Asked Questions About Cyber Extortion and Ransomware

When organizations become victims of cyber extortion, they often face the same questions: Should we pay the ransom? Will stolen data be published? Can threat actors be trusted?

In our experience, these questions rarely have simple answers. The following questions and answers provide initial guidance and cover technical, financial, legal, and strategic aspects of a ransomware attack. They are not a substitute for individual advice, but they help organizations better assess risks and make informed decisions.

Ransom Demands, Negotiations, and Threat Actors

Questions about ransom demands, communication with threat actors, and typical behavioral patterns of ransomware groups

Should you pay the ransom? +

Whether an organization should pay a ransom after a ransomware attack cannot be answered in general terms. Every crisis situation requires an individual assessment of technical, legal, financial, and operational factors.

Paying a ransom neither guarantees the full recovery of encrypted data nor the deletion of stolen information. Organizations should first determine whether recovery from backups is possible and what alternatives are available.

Expert Insight from RiskWorkers
In practice, we often see organizations discussing the question of whether to pay too early. First, the actual extent of the damage, the ability to recover systems and data, and the impact of a potential data leak need to be assessed. Only then can an informed decision be made.

How high are typical ransom demands? +

The amount of a ransom demand varies considerably and depends on the industry, the size of the organization, and the threat actors’ assessment of the victim’s ability to pay.

While smaller organizations are often confronted with demands in the five- to six-figure range, larger mid-sized companies and corporations may face demands of several million euros.

Expert Insight from RiskWorkers
The initial demand is rarely the final one. Many threat actors deliberately build negotiation margins into their demands. The original amount is often intended to test the organization’s pain threshold.

Are stolen data always disclosed? +

No. The threat of disclosure is often used to put additional pressure on the affected organization.

Possible scenarios range from the complete publication of stolen data to the gradual release of individual data sets or the sale of the data to third parties. In some cases, stolen data are never published at all.

Expert Insight from RiskWorkers
Organizations should always assume that stolen data could be published. Communication and crisis management plans should therefore be prepared independently of any ongoing negotiations.

Can you negotiate with hackers? +

Yes. Negotiations with cybercriminals are now an integral part of many ransomware cases.
Negotiations are not necessarily about preparing a payment. They can help organizations gain time, gather information, verify claims made by the threat actors, and keep strategic options open.

Expert Insight from RiskWorkers
Professional negotiations often pursue several objectives at the same time. In addition to the financial aspect, they frequently involve requesting technical proof, assessing the seriousness of the threat actors, and gaining additional time for crisis management.

Can you trust the extortionists? +

Generally speaking, no. Cybercriminals operate outside any legal or contractual obligations.

At the same time, many threat actors pursue financial interests and seek to maintain their "reputation" within the cybercrime ecosystem. As a result, some groups are more likely to keep certain promises than others. However, there are never any guarantees.

Expert Insight from RiskWorkers
The key question is not whether you trust the threat actors. The key question is which of their claims can be verified. Professional negotiations are based on verification, not trust.

Is it illegal to pay a ransom? +

At present, there is no general legal prohibition in Germany against paying a ransom after a ransomware attack.

However, regulatory, insurance-related, or sanctions-related requirements may apply. In particular, organizations must determine whether sanctions or embargo regulations are relevant when dealing with international threat actors.

Expert Insight from RiskWorkers
Before considering any payment, organizations should consult legal specialists. Today, legal assessment is an integral part of professional crisis management.

Does an organization need to have its own cryptocurrency wallet? +

No. Organizations do not necessarily need their own cryptocurrency wallet.

If a payment is considered at all, the technical transaction is often handled by specialized service providers, insurers, or other involved experts.

Expert Insight from RiskWorkers
Many organizations deal with cryptocurrencies for the first time during an ongoing crisis. The technical handling of a payment should never be improvised but should always be supported by experienced professionals.

Is paying a ransom cheaper or more expensive? +

This question cannot be answered in general terms either.

Factors to consider include:

  • The amount of the ransom demand
  • Duration of the operational disruption
  • Recovery costs
  • Contractual penalties
  • Reputational damage
  • Potential disclosure of stolen data
  • Long-term security measures

Paying a ransom does not automatically reduce the total cost of an incident.

Expert Insight from RiskWorkers
The actual cost of cyber extortion often far exceeds the ransom demand itself. Business interruption, crisis communications, legal advice, forensics, recovery efforts, and reputational damage frequently account for the largest share of the overall losses.

Impact and Consequences of a Ransomware Attack

Information about data disclosure, attack duration, financial impact, and the potential consequences for organizations

How long does a ransomware attack last? +

The technical attack itself often takes place within a few hours or days. However, the consequences for the affected organization can last for weeks or even months.

Typically, three phases can be distinguished:

  • Acute phase (1–7 days)
  • Stabilization phase (1–6 weeks)
  • Recovery and post-incident phase (several weeks to months)

Expert Insight from RiskWorkers
A ransomware attack is rarely just an IT issue. In most cases, it develops into a business crisis that affects management, communications, legal, compliance, and operational functions alike.

Will we be attacked again after paying a ransom? +

Paying a ransom does not protect organizations from future attacks. Companies that have fallen victim to a ransomware attack may become targets of the same or other threat actors again.

Cybercriminals exchange information within their networks. Therefore, it is important not only to overcome the immediate crisis after an incident but also to strengthen the security architecture in a sustainable way.

Expert Insight from RiskWorkers
We regularly observe organizations underestimating the root cause of the attack. Simply restoring systems without closing security gaps significantly increases the risk of a similar incident in the future.

How do threat actors know how much we can pay? +

Modern ransomware groups prepare their attacks thoroughly. They often analyze:

  • Company size
  • Revenue and profit
  • Public financial reports
  • Press releases
  • Number of employees
  • Market position
  • Existing cyber insurance coverage

The amount of the ransom demand is often based on the estimated financial capabilities of the targeted organization.

Expert Insight from RiskWorkers
Many threat actors know surprisingly much about the affected organization. During negotiations, it often becomes clear that extensive research was conducted long before the ransom demand was made.

What happens if we do not respond? +

If organizations do not respond to the demands, threat actors may react in different ways.

Possible consequences include:

  • Disclosure of stolen data
  • Contacting customers or business partners
  • Publication on leak sites
  • Sale of the data to third parties
  • Termination of communications

Each threat actor follows a different strategy.

Expert Insight from RiskWorkers
Not every threat is carried out. At the same time, no threat should be ignored. The actual risk assessment depends on the specific capabilities, motives, and past behavior of the threat actor.

Do threat actors really publish customer data? +

Yes. In the past, numerous threat actors have published customer data, contractual documents, financial information, or personally identifiable information (PII).

However, not every threatened disclosure actually takes place.

Expert Insight from RiskWorkers
The greatest challenge often arises not from the disclosure itself, but from the loss of trust among customers, business partners, and employees. Communication strategies should therefore be prepared at an early stage.

Can you prevent data from being disclosed? +

There is no one hundred percent guarantee.

Even if threat actors promise to delete data or refrain from publishing it, a residual risk always remains.

Expert Insight from RiskWorkers
Organizations should never base their strategy solely on promises made by threat actors. What matters most is being prepared for the worst-case scenario.

What is the true cost of a ransomware attack? +

The total cost is often made up of numerous factors, including:

  • Business interruption
  • Recovery efforts
  • Forensics
  • Legal advice
  • Crisis communications
  • Notification of affected individuals
  • Reputational damage
  • Security improvements

In many cases, these costs significantly exceed the ransom demand itself.

Expert Insight from RiskWorkers
From a management perspective, the ransom demand is often only one part of the problem. The real challenge usually lies in the business consequences of the crisis.

Crisis Management and Sound Decision-making

Answers to questions about cyber insurance, law enforcement agencies, negotiations, and the professional handling of cyber extortion

Can cyber insurance cover ransom payments? +

Depending on the policy, the country, and applicable regulations, cyber insurance may cover certain costs.

This may include:

  • Forensics
  • Crisis management
  • Legal advice
  • Communications consulting
  • Technical recovery

Whether the ransom payment itself is covered depends on the specific terms and conditions of the insurance policy.

Expert Insight from RiskWorkers
Organizations should involve their insurers at an early stage. Many policies contain notification requirements or specify procedures that must be taken into account.

How much reduction is realistic in ransom negotiations? +

The scope for negotiation varies considerably from case to case.

There is no fixed percentage that applies to all situations. Relevant factors include:
The threat actor involved

  • The amount of the initial demand
  • Time pressure
  • The organization's ability to recover
  • The credibility of the negotiation position

Expert Insight from RiskWorkers
Successful negotiations are not based on aggressive bargaining. What matters most is building credible arguments and understanding the negotiation dynamics of the opposing side.

Should law enforcement be involved? +

In many cases, involving law enforcement agencies is advisable.

Authorities may:
Provide information about threat actors

  • Support investigations
  • Use international contacts
  • Contribute additional intelligence and situational awareness

However, this decision should always be embedded in the overall crisis management strategy.

Expert Insight from RiskWorkers
Cooperation with law enforcement and operational crisis management are not mutually exclusive. Both approaches can be combined effectively.

Who should communicate with the extortionists? +

Communication with the threat actors should be managed as centrally as possible.

Uncoordinated contact by different individuals can:

  • Weaken the negotiation position
  • Create conflicting information
  • Introduce additional risks

Expert Insight from RiskWorkers
In many cases, communication with threat actors is a discipline of its own. Negotiation experience, psychological understanding, and crisis management play a central role.

How can you identify professional ransomware groups? +

Professional threat actors often have:

  • Structured communication channels
  • Standardized ransom demands
  • Technical support capabilities
  • Leak websites
  • Established negotiation processes

However, this does not mean that their statements are automatically credible.

Expert Insight from RiskWorkers
When assessing a threat actor, the most important factor is not how professionally they appear, but how they have behaved in comparable cases.

What is the biggest mistake after an attack? +

The most common mistake is to view the situation solely as an IT security incident.

Ransomware regularly affects:

  • Executive management
  • Operations
  • Communications
  • Legal
  • Compliance
  • Customer relationships
  • Supply chains

Expert Insight from RiskWorkers
The most successful organizations treat a ransomware attack as a business crisis from the very beginning. This enables faster decision-making, better risk assessment, and helps maintain the organization's ability to act.

Request Consultation