Ransomware by Design: The Bluff Behind the Threat

The first thing DragonForce delivers isn’t a ransom number, it’s a set of “rules.” Your files are encrypted, some data has been stolen, and you get a carefully handpicked partial file list; just enough to prove they are inside your network, but not enough to know how bad the damage really is. The rest, they hint, you will see on their blog if talks fall apart.

Underneath that structure sits a harsher reality: uncertainty is the product. By refusing to share a full inventory of what was taken, DragonForce keeps you guessing about regulatory exposure, reputational fallout, and legal risk, all while a countdown timer ticks away on their portal. And if you struggle to make sense of this “standard scheme,” they even suggest a next step that says a lot about the modern ransomware economy:

“Maybe contact a negotiation company.”

The Setup: Partial File Trees And “Rules”

DragonForce opens the conversation with a familiar script: your files are encrypted, some data has been stolen, and a partial list of stolen files is offered as “proof.” They explicitly refuse to send a complete list, framing this as a hard rule of their process and pointing the victim to FAQ-style guidance beside the chat window.

When the victim asks for the full file list, the attacker shuts it down:

“We don’t want to show it to you.
We think you understand why, and it’s part of the rules that we detailed for you.”

Pressed on why the list won’t be shared, DragonForce lays out the logic plainly:

“The full list is not being provided because having it would give you the opportunity and time to minimize the damage before publication.
This would weaken our position in the negotiations and strengthen yours.”

They also warn that waiting until the end of the countdown to ask for a discount “will not work,” pointing to other chats on their blog as supposed proof that playing the clock is useless.

Then comes a telling suggestion from the attackers themselves:

“If you can’t figure [the rules] out, we recommend that you contact any negotiation company.”

That line says a lot. The gang is so used to dealing with professional negotiators that they essentially point inexperienced victims toward hiring one. It is a backhanded admission that seasoned intermediaries can navigate the “rules,” translate the psychological game being played, and often get a better outcome than a panicked team trying to handle it alone.

The message is clear: the terms are fixed, the rules are non‑negotiable, and the attackers control the pace—but they also expect that on the other side of the screen, there might be someone whose full‑time job is to push back.

The Bluff: “You Could Be Bluffing”

Instead of accepting this framing, the victim challenges it directly. By only sending a partial list, the attackers have not actually proven that they hold anything beyond the sample files they shared for decryption testing.

The victim says the quiet part out loud:

“By only sending the partial list, how do we actually know you have any more of our data?
You could be bluffing.”

They push again on the logic:

“If you send us the full list then we could assess the full impact this whole event might have on us — we don’t see how that would strengthen our posture.”

The most revealing part of the exchange is DragonForce’s response:

“Yes. By sending part of the list, we can bluff, and you can’t fully assess the impact of publication on you.
You’ve understood everything correctly. This is a standard scheme.”

With a few lines of chat, the attacker confirms what many negotiators suspect but rarely see admitted: controlled uncertainty is a deliberate part of the playbook.

Why Uncertainty Is A Feature, Not A Bug

From the threat actor’s perspective, uncertainty supercharges leverage.

• It makes the risk seem bigger than it really is.: if you do not know whether payroll, customer PII, or board emails are in scope, you must plan for the worst.
• It compresses decision time: DragonForce repeatedly highlights the countdown timer and complains that the victim has not moved quickly enough from triage to payment discussions.
• It narrows your room to maneuver: without a clear impact assessment, it is harder for the victim to justify firm counter‑offers internally or to regulators and insurers later.

DragonForce even suggests a “typical” negotiation cadence:

“The usual timeline is to enter into negotiations 1–2 days after the incident, to deal with the files within 2–6 hours, and then proceed to discuss payment.”

Organizations that try to step outside that pattern—by, for example, insisting on a full file tree—are framed as irrational or unserious.

The Demand: $450,000 And A Timer

After days of back‑and‑forth over file listings, the attackers pivot to money. They state a demand of 450,000 (implicitly USD) with minimal ceremony and the standard implied promise: decryption, deletion of stolen data, and no publication if payment is made.

They drop the number bluntly:

“We want 450,000.”

The victim pushes back that this is “not a small amount of money” and highlights the practical difficulty of assembling that much liquidity quickly. It is a holiday weekend, banks are closed, and internal approvals are slow.

The victim asks for breathing room:

“We are clearly going to need more time to hash this out. It’s a holiday weekend right now and everything is shut down.
Can we resume this discussion on Monday?”

DragonForce relents on timing—but not on principle:

“We are always open to a substantive dialogue.
The deadline has been extended to Wednesday.”

The countdown remains the ever‑present backdrop, a constant reminder that delay will eventually mean data leakage and loss of the decryption key.

When Even The Attacker Says “Get A Negotiator”

The suggestion to “contact any negotiation company” is easy to gloss over, but it captures where ransomware is in 2025: professionalized on both sides. DragonForce expects that a certain percentage of victims will have incident response retainers, cyber insurance‑driven playbooks, and dedicated negotiators on speed dial.

For victims, that line should land as a prompt, not a challenge.

• If the criminals assume you might have a negotiator, going in without one is starting at a disadvantage.
• A third‑party can absorb emotional pressure, apply lessons from dozens of prior cases, and translate attacker “rules” into real‑world risk.
• Just as importantly, they create a record that helps justify decisions later to boards, regulators, and law enforcement.

The irony is sharp: the same gang that refuses to send a full file list is effectively recommending you bring in someone whose job is to test their claims, pressure their pricing, and manage the bluff.

What This Transcript Teaches

This DragonForce negotiation illustrates several lessons that go beyond this single case.

1. Attackers use intentional confusion. They show partial file lists and unclear references to “blog” disclosures are not accidents; they are levers to increase perceived risk and compress your timeline.
2. Calling the bluff can surface valuable information. By explicitly raising the possibility of bluffing, the victim forced the attacker to admit that uncertainty is part of the strategy, which can inform your internal risk assessment and communication.
3. “Rules” are negotiation tactics, not laws of physics. When an attacker insists that certain terms (like a full file list) are “impossible,” what they often mean is that those terms weaken their leverage.
4. Time pressure is a weapon. Countdowns, weekend deadlines, and references to other victims who “resolved over the first weekend” are designed to push organizations into faster, less‑informed decisions.
5. Even attackers expect professionals on the other side. When a ransomware crew tells you to “contact a negotiation company,” they are acknowledging that this has become a specialized skill set—and that expertise changes the dynamic.

The goal is not to gamble recklessly that every data‑leak threat is hollow. It is to recognize that the other side is playing a psychological game as much as a technical one—and to bake that reality into negotiation strategies, legal/comms prep, and tabletop exercises, ideally with people at the table whose day job is to see through the bluff.