SANS Cyber Defense Initiative 2025: SANS@Night - Pay to Play: Surviving and Winning Ransomware Negotiations in 2025

When cybercriminals hold your data hostage, do you pay the ransom or call their bluff?

In 2024, only 25% of organizations paid ransoms—an all-time low—yet those who did pay still only achieved 46% full data recovery. In this talk, we'll dissect the high-stakes world of ransomware negotiations, where million-dollar decisions happen under extreme pressure. Drawing from real-world negotiation transcripts and the groundbreaking Coinbase case—where a $20M ransom demand was flipped into a $20M bounty for attacker arrests—we'll expose how RaaS platforms have professionalized extortion with customer service portals and triple extortion tactics.

This isn't your typical "don't pay ransoms" talk. We'll explore the harsh realities where business continuity and regulatory pressure create impossible choices, providing practical frameworks for decision-making under duress, technical protocols for verifying attacker claims, and strategies for maintaining leverage when all seems lost. Because in the world of ransomware negotiations, the only thing worse than paying is paying badly.