The Ransomware Pricing Paradox: An Empirical Study of the Six Stages of Ransomware Negotiations

Ransomware has become the most common cyber risk for businesses. The rise is not driven by attackers using innovative attacks, but instead by deteriorating negotiation outcomes. The average payment grew by almost 20,000% since 2018. However, it remains unclear why attackers can demand ever higher ransoms. Our study explores potential explanations: lack of backups, cyber insurance, access to incident response (IR) firms, data exfiltration, and negotiating style. We model negotiation as a six stage model: attacker intent, victim engagement, discount offer, discount magnitude, payment decision, and re-extortion. We test hypothetical explanations for ransom outcomes using two datasets: (1) 481 police-reported incidents (2019–2023); and (2) 237 negotiation transcripts from 23 ransomware groups. We discover a pricing paradox: victims are more likely to pay after high initial demands, followed by large discounts, than after low fixed-price demands. Stage-level regression resolves this paradox: progression through stages is shaped by backup status, victim revenue, IR involvement, and negotiation duration. Fully recoverable backups sharply reduce payment rates and discount offers; higher revenue increases engagement and discount likelihood; and longer negotiations reduce payment. We find no evidence that insurance increases payment rates, that discount size matters once interaction is accounted for, or that re-extortion is common. These results position ransomware as a market-driven crime shaped by selection effects and signaling.