Leak site posts and negotiation transcripts are public, abundant, and underused. Read them like a business analyst and you can predict pricing, dwell, and exfiltration behavior.
Ransomware operators run businesses. Like any business they have a pricing model, a sales funnel, a fulfillment process, and customer service. Unlike most businesses they leak almost everything about themselves through their own pressure tactics and through periodic insider leaks of their chat platforms.
Most CTI teams read this material for indicators. The hashes, the wallets, the domain names. Those are useful, but they are the least durable thing in the data. The durable signal is in how the operator runs the business. A team that reads leak posts and negotiation transcripts like a business analyst can predict pricing, predict exfiltration behavior, and predict negotiation outcomes for their own organization with surprising accuracy.
What the public sources actually contain
Three public sources are worth a regular reading practice.
The first is the actor's own leak site. Most active ransomware operators run a Tor hidden service where they post victim names, post counters, sample data, and final published archives. The metadata around each post is rich. Date of initial listing. Days between listing and publication. Whether the post stays up after publication. Volume of data claimed. Industry of the victim. Geography. Many sites also publish negotiation snippets to pressure the victim.
The second is leaked chat infrastructure. Several major operators have had their internal chat platforms or affiliate panels leaked by insiders or researchers. The Conti leaks, the Black Basta leaks, and successors give weeks of operator to operator conversation. The contents include pricing decisions, complaint handling, target selection logic, and personnel disputes.
The third is the trade press and incident response retrospectives. Quality incident response firms publish post engagement writeups that include redacted negotiation transcripts and outcome summaries. Read with care for sample bias, since the firms publish wins more than losses, this is still the cleanest source of negotiation behavior data.
None of these sources require subscription or special access. They require a routine.
Pricing patterns are visible
The most common myth is that ransomware pricing is arbitrary. It is not. The pricing models that emerge from leaks are surprisingly disciplined.
Initial demands typically scale to annual revenue. The leaked chats show operators pulling target company revenue from public sources, from leaked databases, or from documents stolen during the intrusion, and pricing the demand as a percentage of that figure. The percentage varies by operator and by industry, but it clusters tightly. Two to five percent of annual revenue is a common opening band. Operators who target small businesses use a flat band instead, often in the tens of thousands range.
Operators discount aggressively. The negotiation transcripts show concessions in the forty to sixty percent range as standard, with some final settlements landing at one third of the opening demand. The cost to the operator of a non payment is high, so they will move.
Operators reward speed. Many transcripts include a time bound discount in the first twenty four to forty eight hours. The discount is real but it is also a tool to push the victim out of careful deliberation and into a rushed decision.
For a defender, the implication is operational. The first call your incident response team makes with a ransomware operator is not a negotiation, it is an information gathering exercise. The opening demand, the discount language, and the time pressure tell you which operator is on the other end and what their funnel looks like.
Exfiltration behavior follows posting behavior
Modern ransomware operators do not need to encrypt to extort. Many do both. Some do only exfiltration. The leak site post pattern tells you which.
Operators who post the victim name within hours of the encryption event are signaling that the data is already staged for publication. The exfiltration happened before the encryption was triggered. For an incident responder this changes the priority order. Decryption is a side problem. Containing the spread of already exfiltrated data and notifying affected parties is the first problem.
Operators who post several days after encryption are usually still negotiating quietly and the post is a pressure tactic. There is more time to engage. The exfiltration may be smaller or may still be in progress.
Operators who never post but who threaten in the negotiation are sometimes bluffing. The leaked chats show that some affiliates falsely claim exfiltration to gain leverage. A defender who has high confidence in their own data flow telemetry can call that bluff.
Reading the post timing across an operator's last fifty victims gives a reasonable predictive baseline. Track it. It changes when the operator changes affiliates or when their tooling changes.
Industry and geography selection is not random
The leaked operator chats show explicit target selection rules. Some operators avoid CIS country targets for legal protection reasons. Some operators avoid healthcare for reputational reasons, with mixed compliance. Some operators specifically target manufacturing because manufacturing tolerates downtime poorly and tends to pay. Some operators avoid government for the same reason others target it.
For a defender the implication is that your industry's risk from a specific operator is not even close to uniform. If your sector appears on the operator's avoid list, your residual risk is from affiliates who break the rules and from sub branded crews who use the same tooling. If your sector is on the target list, your risk is elevated and your scenario planning should reflect it.
This is also where attribution and tracking intersect with risk management. The team that knows which operators are actively targeting their sector this quarter has a sharper threat model than the team that defends against ransomware in general.
Negotiation outcomes you can model
A useful exercise is to take the public negotiation transcripts for the operator most relevant to your sector and pull the following data points for each one.
Industry and approximate revenue of the victim.
Opening demand and final settlement amount, when known.
Time from initial encryption or first contact to final settlement.
Whether the victim paid, whether they engaged a professional negotiator, and whether the data was published.
Whether the operator delivered a working decryptor.
After twenty transcripts the patterns are clear. You can build a one page expected outcome model for your own organization. It is not a prediction. It is a baseline for tabletop exercises and for executive briefings. It moves the conversation from speculative to grounded.
A weekly intake routine that scales
The reading practice can be very small and still produce value.
Thirty minutes once a week. The analyst pulls new leak site posts from the three or four operators most relevant to the organization's sector. They log the victim, industry, approximate size, days from compromise to listing, and any negotiation snippet visible. The log lives in a single spreadsheet.
Once a quarter, the analyst writes a one page summary of what changed. New affiliates visible. New tooling references. Pricing model drift. Sector targeting shift.
Once a year, the analyst rebuilds the expected outcome model for the organization based on the past twelve months of data.
That is thirty hours of analyst time per year. The output is a defensible model of how ransomware extortion actually works for your sector. Most teams spend more than that on a single feed subscription that delivers worse insight.
The point
Ransomware operators leak their business model continuously through their own pressure tactics and through periodic insider leaks. Read leak site posts and negotiation transcripts as a business analyst would. Track pricing, exfiltration timing, sector selection, and negotiation outcomes. Build a small log and a small quarterly summary. Use the result to drive executive briefings, tabletop scenarios, and incident response priority decisions. The signal is in the routine, not in any single document.