
The latest findings from NordStellar reveal that ransomware attacks remain a persistent threat, and the number of attacks remains high in Q1 2026. An analysis of leaked ransomware negotiations reveals a manipulative sales playbook where attackers threaten to leak data in 76 percent of cases while also offering discounts (45.5 percent) and upselling services like “security audits.”
“Ransomware activity surged in Q4 2025, most likely due to attackers exploiting end-of-year cybersecurity gaps caused by reduced human resources in organizations,” says Vakaris Noreika, cybersecurity expert at NordStellar. “In Q1 2026, established ransomware groups like Sinobi and Cl0p Leaks experienced a sharp decline, most likely due to law enforcement operations.
"However, other actors filled the gap, notably the Gentlemen group, which was quiet last quarter but is now the second‑most active ransomware group this year so far.”
Q1 2026 ransomware trends mirror the tendencies observed in 2025:
- Small and medium-sized businesses (SMBs) with up to 200 employees and revenues up to $25 million were the most affected.
- Attackers continued to zone in on manufacturing companies based in the U.S.
Tactics, Discounts and Upselling
NordStellar analyzed 246 unique leaked conversations between ransomware groups and victim companies from 2020 to 2026. As many as 25.6 percent of the analyzed negotiations ended in companies paying the ransom demands, and the median discount in those payments was 57 percent, with the highest recorded discount reaching as high as 96.2 percent.
“Attackers often have a ‘discount phase’ early on — they’ll drop the initial price by 25-67 percent if companies engage quickly,” says Mantas Sabeckis, a senior threat intelligence researcher at Nord Security. “This is a sales tactic. It’s recommended to negotiate the price, even if the company is able to pay the full amount.”
Sabeckis notes that ransomware actors also try to upsell their services. In 16.3 percent of the analyzed negotiations, attackers offered victims “all services included” bundled packages, often containing data decryption and deletion.
In 21.6 percent of the conversations, ransomware actors offered to sell the data decryption tool separately, multiple pricing tiers containing different services were proposed in 8.6 percent of cases, and 7.3 percent of conversations contained offers to purchase a “security audit/report.” In 3.7 percent of the conversations, the attackers charged more for extending the negotiation time, and in 16.7 percent of all conversations, they offered data removal as a separate purchase.
“Even though the promise of data deletion appears often, there’s no way for companies to actually verify deletion,” explains Sabeckis. “I’d advise companies to tread carefully and take these statements with a huge grain of salt — ransomware actors are skilled manipulators.”
The analysis also revealed the most common tactics ransomware groups use in negotiations — 76.8 percent of the conversations contained threats to publish or leak the data. Other common denominators include crypto payment instructions (61.4 percent), offering proof of data (55.3 percent), special price offers (45.5 percent), threats to inform the media (43.5 percent), and putting additional pressure on the deadline (41.9 percent).
Less common tactics include threatening the victim with violating GDPR compliance (17.9 percent) and threats to increase the price of the demands (7.3 percent). “It’s important to note that the attacker’s deadline is almost never real. They want the money — they won’t walk away on the first day,” says Sabeckis.
Hit by Ransomware: What Happens?
“The first key step is not to panic — every minute of confusion is a minute of downtime. The clock starts now,” says Noreika. “It’s recommended to not turn off the systems — isolate them from the network, instead, because pulling the plug may destroy forensic evidence. Inspect the ransomware note and document the content, call an incident response firm, and contact a cybersecurity insurance provider immediately — many policies cover incident response, but they may require early notification.”
According to Noreika, investigating the incident is a vital step. The company should analyze what systems were affected, if backups are still intact and usable, if any data has been stolen and not just encrypted, and whether the attack has stopped or is still active, and then they should try to identify the threat actor.
“These steps should be taken alongside the negotiations process,” explains Noreika. “Negotiations buy companies time and allow them to ask for proof of data, which helps to validate the threat.”
He notes that while all cases are different, industry best practices and the analysis of leaked ransomware negotiations suggest several considerations that companies may want to explore when negotiating with attackers:
- Slow responses buy time, but complete silence can result in quick escalation. Ask clarifying questions and say you need to consult with leadership and the legal team to buy more time, but avoid resorting to radio silence. If the company is unresponsive, cybercriminals are more likely to ramp up the pressure by leaking a sample of the data, contacting the media or customers, or exposing the information altogether
- Not all threats are real. Request proof-of-life by asking the attackers to decrypt a couple of small files to prove that they have a decryptor or request a data sample if they’re claiming to have exfiltrated the data to confirm what they actually have. Cross-referencing their claims with the findings of the incident response team will help to verify or rebut the threat.
- Mentioning law enforcement involvement or cybersecurity insurance providers could actually backfire. Openly disclosing law enforcement involvement might cause the ransomware group to retaliate by increasing the ransom, shortening deadlines, or destroying data to increase pressure for a quick payment. Being upfront about having cybersecurity insurance can be a costly mistake because attackers might take this as an opportunity to increase their demands, knowing a larger payout is possible.
To read the full ransomware Q1 report, click here.






















