When ransomware hits, it is not just about data going dark or systems grinding to a halt. It is about the frantic hours that follow, the high-stakes conversations in hidden chatrooms, and the impossible choices organisations are forced to make. Pay or don’t pay. Engage or ignore. Every decision carries weight that can shape the future of a company.

A very expensive conversation

Take Colonial Pipeline in 2021. The company was forced to shut down one of the largest fuel pipelines in the US after a ransomware attack crippled its systems. Within hours, the East Coast faced petrol shortages and rising panic at the pumps. Under immense pressure, Colonial’s executives agreed to transfer 75 bitcoin, worth around 4.4 million dollars at the time. The FBI later managed to claw back a portion of that payment, but the reputational damage and operational chaos had already been done.

Closer to home, Travelex was hit just before New Year’s Eve in 2019. The attack left foreign exchange services offline across airports and high streets for weeks. Reports suggest Travelex paid around 2 million pounds to regain access to their systems. It was a sobering reminder that cybercriminals do not care about timing. They pick their moments when disruption will sting the most.

Negotiators step in

What often goes unseen is that these negotiations are rarely handled by executives alone. Many companies quietly bring in specialist ransomware negotiators, sometimes ex-intelligence officers or crisis managers, who know how to manage hostile conversations. Their job is not to make friends with criminals, but to buy time, gather intelligence, and ideally drive down the ransom demand.

In some cases, these negotiators can reduce the payment by more than half, or even stall long enough for internal recovery teams to bring systems back online. But it is a delicate balance. Stalling too long risks angering the attackers, who may leak stolen data or raise the price.

The human cost

Beyond the headlines of million-dollar payouts, there is a quieter cost to these incidents. Hospitals have had to cancel operations after ransomware attacks on their IT systems. Schools have delayed exam results. Local councils have been forced offline, leaving citizens unable to access basic services. The criminals on the other side of the screen see leverage, not lives.

Should you ever pay

The FBI and the UK’s NCSC both advise against paying ransoms, warning that it fuels the criminal economy and offers no guarantees of recovery. Yet a 2023 survey by Sophos found that 46 percent of organisations who were hit still paid up. Many said they felt they had no choice, particularly when backups were destroyed or sensitive data was already in the hands of criminals.

The truth is that ransomware negotiations sit in a grey zone between principle and survival. For every organisation that holds the line, another bends under the pressure of lost revenue, angry customers, or life-threatening disruption.

What comes next

The ransomware economy is not slowing down. Demands are rising, double extortion (encrypting files and stealing data) is now standard, and criminal groups are becoming more professional in how they communicate. Some even run “customer service desks” to walk victims through payment and decryption.

Defence will never be perfect, but preparation changes the odds. Running tabletop exercises that simulate ransomware scenarios, building incident response playbooks, and having contacts with law enforcement or specialist negotiators lined up can make the difference between chaos and control.

The next time you see a headline about a company paying millions to faceless hackers, remember that behind it there were long nights of tense conversation, panicked board meetings, and the cold calculation of what survival was worth.