When a ransomware note hits a large publicly-traded company on a Tuesday morning, the first calls go to outside counsel, the incident response firm, and the FBI. The fourth call the one that actually determines whether the company survives the next two weeks financially intact typically goes to someone like Kurtis Minder.
Minder spent more than a decade building something rare: a team of digital spies embedded inside criminal networks. What started as a cyber intelligence operation essentially running a corporate espionage capability to track threat actors evolved, almost by accident, into one of the most specialized ransomware negotiation practices in the world. His work has been profiled in The New Yorker. He has testified before Congressional committees on ransomware policy. And he has sat across dark web chat windows from some of the most sophisticated criminal organizations operating today.
What he’s learned challenges nearly everything the enterprise security community assumes about how these attacks work who is doing them, how they think, and what it actually takes to survive one.
Digital Spies, Not Negotiators
Minder’s entry into ransomware negotiation wasn’t planned. His firm was running what he describes as human intelligence operations the kind of thing you’d expect from a government agency rather than a private company. “In order to be competitive and do that well, you really had to have your finger on the pulse of what the bad guys were doing,” he explains. “You had to run basically an espionage operation. You had to become digital spies make friends with the bad guys so you get invited to the party.”
Building those relationships took over twelve years and a recruitment process that draws on lessons from the intelligence community. Staff don’t walk in and start interacting with threat actors. They begin as analysts, earn trust internally, and only gradually work their way toward direct contact. Background checks are run by a firm that primarily serves the CIA. “When some people do background checks, they pay background-check.com something. $40. Ours costs a lot more than that,” Minder says.
The proof of concept for all that investment came unexpectedly. A client called with a ransomware incident. Minder tried to refer them to a negotiator he’d met at dinner someone who claimed to specialize in this work. That person ghosted him the morning of the call. Minder found himself alone in a WebEx session with the CEO, CISO, deputy CISO, legal counsel, an incident response firm, and an FBI representative facing his first-ever ransomware negotiation with no preparation and no precedent.
“I ended up doing the entire negotiation myself, kind of on the fly. That was the first one I’d ever done. Lucky for me, I’m a quick learner.” Kurtis Minder, Author, Cyber Recon
He spent the following nights cramming negotiation literature. He used former undercover police officers on his team as sounding boards. Two and a half weeks later, he settled the case at approximately ten percent of the original demand. The insurance company and law firm called the next day asking to work together again. That near-accident became the foundation of a practice that later brought him into contact with Chris Voss the former FBI hostage negotiator and author of Never Split the Difference and eventually into the pages of The New Yorker.
They Are Not Gangs. They Are Companies.
One of the most consequential misunderstandings in how the security community talks about ransomware, Minder argues, is the word “gang.” It implies disorganization, loose affiliation, and improvisation. The reality is nearly the opposite.
“I think calling them gangs has really misled the public. Gangs are a loose affiliation, somewhat disorganized. These groups, most of them, are not that.” Kurtis Minder.
The organizations Minder negotiates with have rank, middle management, quotas, and bonuses. They have training manuals. They have HR processes. They recruit talent away from rival groups the same way Silicon Valley poaches engineers “the same couple hundred people moving around, switching jobs, going from one group to the other just like we do in tech.” When a negotiator first engages via a dark web chat window, the person on the other end may not even speak English. They are reading from a pre-translated script, running responses through a translation tool before sending them back.
“It’s important to understand that,” Minder says, “because what you say, and how that translates in tone and context in Ukrainian or whatever, might make a difference in the outcome.”
Understanding the specific group behind an attack their playbook, their pricing logic, their known behavioral patterns is therefore not background color. It is the primary intelligence input that shapes every tactical decision in the negotiation.
The Decisions No One Pre-Plans
The most dangerous gap Minder encounters isn’t in technical defense it’s in decision architecture. When a ransom note arrives, the questions that determine the outcome have almost nothing to do with the negotiation itself. They are questions that should have been answered weeks or months earlier, and almost never are.
Does engaging with this group conflict with the organization’s values? Is the payment potentially illegal certain sanctioned groups make any transaction a federal matter regardless of circumstances? Does available threat intelligence suggest this group will ever reach a number the victim can actually pay? Are backups genuinely intact and restorable removing the need to engage at all?
“Once you say ‘hey, I got your ransom note’ you’re on the radar. They’re not going away now.” Kurtis Minder
That last point the decision to simply not respond is more powerful than most organizations realize. If backups are viable and restoration is possible, silence is a legitimate strategy. The moment an organization announces itself to a threat actor, it becomes a priority in a portfolio of hundreds of simultaneous victims.
PRE-NEGOTIATION DECISIONS EVERY CISO MUST PRE-PLAN
- Does engaging with this threat actor conflict with organizational values or legal obligations?
- Is this group sanctioned making payment potentially illegal regardless of business pressure?
- Based on threat intelligence, will they ever reach a number you can actually pay?
- Are backups intact and restorable making engagement unnecessary?
- Does your bank allow large crypto transfers? Do you have a crypto broker relationship?
- Has your incident response firm confirmed all attacker access is closed?
Minder has worked cases where negotiations collapsed entirely because a second threat actor had simultaneous, independent access to the same network. In one case during a Black Hat conference, two separate groups encrypted the same organization’s files independently. Double-encrypted virtual machine files are effectively unrecoverable. That managed service company shut down operations.
Negotiation Is Psychology, Not Accounting
When Minder finally opens a chat window with a threat actor, the first objective is not to establish a number. It is to establish that a transaction is going to happen. Everything else follows from that foundation.
The most common mistake he sees in transcripts from less experienced responders is positional bargaining an immediate counter-offer at a fraction of the demand. “You almost always get there eventually,” he concedes, “but you don’t want to start there. You don’t want to put a stake in the ground that early in the negotiation.”
The more productive early move is to ask the attackers to justify their number. Where did it come from? How did they arrive at it? In many cases, the answer reveals the gap. Attackers often use commercial business intelligence tools ZoomInfo, revenue databases to anchor on a topline figure that has no relationship to the victim’s actual financial position.
“We sometimes have to give them an impromptu business class. ‘Yeah, our topline revenue is four million. Our margin is two percent.’ They’re not business people. I have to explain what’s left over.” Kurtis Minder
That dynamic is about to change. Minder flags the intersection of AI and double extortion as the most significant emerging shift in the negotiation landscape. Attackers who exfiltrate data before encrypting it have always had theoretical leverage from that data but manually parsing thousands of financial documents to identify useful leverage is slow and inconsistent. That friction is disappearing.
“Their ability to now digest documents at scale and find the really juicy ones to use as leverage that’s already happening,” Minder says. “AI is going to make life a lot more difficult for negotiators unless you really don’t have money.”
The implication for CISOs is direct: financial records, board presentations, M&A documentation, and insurance policy details are no longer just compliance concerns. They are negotiation leverage assets, and data classification strategies need to account for that threat model explicitly.
The RaaS Economy and the Skill Floor That Disappeared
The structural change that made ransomware a persistent enterprise problem not an occasional nuisance is the complete separation of the attack into component parts, each handled by specialists who never need to interact with the others.
Initial access brokers do one thing: break into a network and sell the foothold. They have no interest in running ransomware. They list access on dark web marketplaces often for a few thousand dollars and let affiliates take it from there. Those affiliates don’t need to be hackers. They need to know how to use Tor and make a cryptocurrency payment. The Ransomware-as-a-Service platform handles everything else: data exfiltration, file encryption, ransom note generation, and in mature operations, round-the-clock operator support.
“If you know how to use Tor and you know how to make a cryptocurrency payment,” Minder says, “you can carry out an enterprise ransomware attack.”
The RaaS platform owners don’t even need to execute attacks themselves. They take a percentage of every ransom paid by affiliates using their infrastructure. It is, as Minder describes it, a franchise model one that scales without requiring the platform operator to touch a single victim directly.
Nation-States in the Hiring Pipeline
The same logic that makes criminal organizations more effective separation of roles, specialization, scale is now being applied by nation-states through a different attack vector entirely: employment.
North Korea’s government-backed remote worker program places trained operatives into US companies through AI-assisted interviews and deepfake identity construction. They receive a legitimate paycheck. More importantly, they receive legitimate network access the kind that doesn’t trigger a single intrusion detection alert because it looks identical to normal employee behavior.
The program has been amplified by a new category of AI interview coaching tools, one of which reportedly reached $100 million in ARR within months of launch. These tools transcribe questions in real time and display scripted answers as an overlay on a video call effectively a teleprompter invisible to the interviewer. Combined with voice synthesis and visual deepfake technology, the result is a hiring pipeline that standard enterprise screening was not designed to detect.
For CISOs, this is an insider threat that originates entirely outside the security team’s traditional visibility in a process owned by HR, with no security checkpoint between the interview and the first day of network access.
After the Attack: Where Companies Actually Lose
Assume the negotiation ends successfully. The decryption key works. Operations resume. The incident is, technically, over. What happens next not during the attack, but after is where Minder says companies most consistently fail, and where the legal and reputational damage compounds long after the attackers have moved on.
“Be as transparent as you can be within your knowledge boundary. The quickest way to squander goodwill is to make people think you misled them intentionally. That’s how you end up in a class action lawsuit.” Kurtis Minder
The instinct to say nothing, or to say as little as possible for as long as possible, is understandable but it reliably backfires. The affected community fills silence with speculation. By the time the standard “we are investigating” statement appears, trust has already begun to erode. What comes next the updates, the timeline, the disclosure is evaluated through the lens of whether the organization was trying to hide something.
None of this communication strategy should be designed during an active incident. The plan, the spokespeople, the escalation framework, the pre-approved language all of it needs to exist before the note arrives. Tabletop exercises that don’t include a communication workstream are, in Minder’s view, missing the scenario most likely to determine the organization’s long-term outcome.
What Tabletops Get Wrong
Speaking of tabletops: Minder has sat in on exercises run by some of the largest brands in incident response, and he has called some of those firms directly to tell them to stop making a specific, pervasive mistake. They put the ransom amount in the ransom note.
“In six years, I have never had a ransom note that has the amount in it,” he says. “It says the files are locked. If you want something, contact us.” The amount only exists after initial contact. By scripting a tabletop that skips that decision whether to engage, based on incomplete information, under time pressure the exercise eliminates one of the most consequential decision points in the entire response.
Other common failures: no designated scribe documenting what the exercise reveals needs to be fixed, no communication workstream, and scenarios that assume the incident response team has already closed all attacker access an assumption that is frequently wrong in real events.
The Three Controls That Would Stop Most Attacks
After years of post-incident debriefs in which attackers describe exactly how they got in often in remarkable technical detail Minder’s conclusions about prevention are unglamorous. Password reuse remains one of the most consistent initial access vectors. Multi-factor authentication is still unenforced across large portions of enterprise environments. Social engineering, the third major pathway, is addressed by awareness training that most organizations treat as a compliance checkbox rather than a genuine control.
“How many times do we have to talk about MFA? Just turn it on on everything you possibly can. They just log in. It doesn’t set off your intrusion detection system because it looks like normal behavior.” Kurtis Minder
Eliminate password reuse organization-wide. Enforce password manager adoption across all roles, not just technical staff.
Enable multi-factor authentication on every system that supports it. Credential stuffing only succeeds where MFA is absent.
Invest in user awareness training that treats social engineering as a primary attack vector not an afterthought to technical controls.
For organizations without a ransomware response playbook, Minder points to CISA’s published template as a solid starting point reflecting conclusions drawn from the same volume of attack data his own work has produced. The fundamental question he poses to every organization is not whether they will be attacked. It is whether they will have practiced their response before the note arrives.
“Plan for an attack as inevitable,” he says. “And then make sure your plan actually works.”
Kurtis Minder
