Thomas Meier, you and your team regularly negotiate with cybercriminals. Can you describe for us one of your more serious cases?

Last year, we had a case in the financial sector involving nearly 30 indirectly affected companies. The attackers had gained access through a security breach at the largest customer, a provider. The result was massive. There was collateral damage for numerous companies that were affected through no fault of their own. The crisis management team was correspondingly complex: many stakeholders, a ticking-clock and divergent interests. The tension was palpable.

We now also see that cybercriminals no longer view attacks on hospitals and other critical infrastructure as off limits. In these cases, it is not just a matter of economic damage, but also of security of supply and social responsibility.

How did this attack on the provider turn out?

The attackers were well aware of the strong position they were in. The provider's backups had been destroyed and key customer data was compromised. This situation led to unusual negotiation dynamics, with the perpetrators showing little willingness to compromise. After a careful risk assessment, the decision was made to pay the initial ransom demand. In our experience, however, only in than 20 per cent of the cases in which we were involved in 2025 did a ransom actually have to be paid. In most cases, it is possible to find alternative solutions or we are able to significantly reduce the demands.

You mentioned noticeable tension in this case. How do you deal with that?

Experience is crucial in such situations. When threats and demands are made, emotions understandably run high on the customer side. Stability is needed. It is our responsibility to keep a cool head, separate facts from emotions and proceed in a structured, logical manner. Even if the other side is acting criminally, they usually follow an economic logic... And that's exactly where we come in. We have some of the most experienced negotiators and incident response specialists in the DACH region.

You mentioned attacks on critical infrastructure. How common are these?

In the past, many of these groups had a kind of internal code. Facilities such as hospitals or schools were mostly considered taboo. Today, we see such self-imposed restrictions much less frequently. While critical infrastructure is sometimes still treated with greater restraint, schools are no longer considered exempt as a matter of principle. Unfortunately, we have come to realise that there are no reliable taboo zones.

At what point do you, as professional negotiators, become involved in the process?

Ideally, from the very beginning. It is crucial to quickly obtain a comprehensive picture of the situation: What data is affected? What are the demands? Are there realistic recovery options? Time and information advantage are crucial in this phase. In addition, we often request a new, confidential chat channel, as the first one is widely distributed internally or even in the media due to the ransom note.

How does the contact process work technically?

As a rule, the ransom note – a kind of digital blackmail letter – contains specific instructions on how to make contact. Communication often takes place via chat functions on perpetrator platforms. However, anonymous channels such as Tox, an encrypted messaging service that further conceals identity, are also increasingly being used.

What is the first contact with a hacker group like?

For affected companies, it is usually shocking and emotionally very stressful. For us, it is part of our operational reality. We approach the situation calmly and professionally. Many groups have a clearly structured business model behind them – and that is exactly how we treat it: as a strategic negotiation, not an emotional exchange of blows.

How do you approach a negotiation?

Our specialists act tactically and flexibly, always maintaining a cooperative tone. The primary goal is to gain time. We use this time for forensic analysis. For example, we investigate where the initial point of attack was, how the attackers moved within the network and which data or systems are affected. We also assess the recoverability and make strategic decisions in the background. It is crucial to control the pace of the negotiations and not be driven by deadlines. This is the first step in regaining control of the situation. This is especially true when functional backups are available and the only leverage left is the threat of publishing stolen data. If this is used, it loses its effect – and the negotiation is effectively over. We make this logic clear to the attackers, which often allows for longer negotiation periods.

What psychological patterns do you observe in cybercriminals?

Behind many groups is a highly developed criminal economy with clear roles, division of labour and structures. Many of the players see themselves as businesspeople. They often come across as friendly, sober and extremely rational – while at the same time clearly dominating the communication. One sentence that particularly stuck in my mind was, “Look, I'm a businessman.”

What are typical mistakes or pitfalls in such negotiations?

One of the most common mistakes is to confront the other party at the wrong time or to reveal strategic options too hastily. The correct positioning of the negotiator is also crucial. In the past, negotiators sometimes deliberately presented themselves as less technically savvy intermediaries close to the decision-making level, which often led to additional information being disclosed by the perpetrators.

What leverage do you actually have when the perpetrators have the data?

When data has been exfiltrated, i.e. stolen, the starting position is much more difficult. The attackers then have additional leverage – publication and monetisation. At the same time, in this scenario, they have already made an advance payment without knowing the actual value of the stolen data in detail. This creates a certain amount of room for negotiation. The key question then is: is an agreement worthwhile for both sides, or does the economic benefit for the perpetrators fall short of expectations? If, on the other hand, data has “only” been encrypted, functioning backups play a central role. In such cases, the balance of power shifts significantly in favour of the defence.

What constitutes a successful negotiation for you?

It's not just about reducing a claim. The key factors are minimising damage, saving time, protecting reputation and regulatory stability – as well as quickly restoring the ability to act. For us, the focus is always on creating value and ensuring the customer's future viability.

How do you become a negotiator and what does it take?

Experience, a keen understanding of the cybercrime economy and tactical acumen are crucial. You also need psychological stability and the ability to think clearly even under extreme pressure – both when dealing with attackers and on the client side. Recommendations must be presented clearly and confidently, even in tense C-level meetings. As in many demanding disciplines, experience cannot be simulated. It comes with experience.

You mentioned earlier that hackers see themselves as businesspeople. So is there a certain degree of reliability among these groups?

In a way, yes. Many groups operate according to a clear economic logic. If they failed to deliver a working decryption code after receiving payment, their business model would collapse. Reputation also plays a role in the criminal market that should not be underestimated.

Does something like a working relationship or mutual understanding develop with the criminals during lengthy negotiations?

Over time, a certain professional interaction develops. Many criminal groups are structured, with clear roles and processes. You interact on a factual level. Acceptance in an operational sense – yes. Respect in a moral sense – no. At the end of the day, it remains a criminal business model.

Have any perpetrators been convicted as a result of your negotiations?

Yes. Forensic analyses and findings from our mandates have repeatedly helped law enforcement agencies to locate and convict perpetrators. Negotiations in particular provide additional technical and operational information, for example on infrastructure, communication patterns or wallet structures, which can be specifically evaluated.

How has the scene changed in recent years? Do you recognise any influence from the emergence of AI?

Yes, especially with agentic AI, which can act autonomously in some cases, there is a new quality to the threat. It accelerates attacks, automates reconnaissance and adaptation of malware, and massively lowers the barriers to entry.

AI agents can now independently identify targets and orchestrate attacks. This makes cybercrime scalable. At the same time, we are seeing a change in strategy: instead of primarily encrypting data, attackers are exfiltrating data and relying on blackmail through publication. This makes the threat strategically much more dangerous.

If you had one wish for politicians and businesses, what would need to change so that you and your team would be less needed?

Quite clearly, we need a holistic security mindset. Cyber resilience must not be an IT issue. It  must be anchored at the management and governance level. Technology alone is not enough. The weakest link – often the human factor – determines whether resilience is strong enough.