Ransomware negotiation dynamics remain understudied, and existing defenses neglect strategic interactions between attackers and victims post-infection. Method: We introduce the first finite-horizon alternating-offer bargaining game model to formally characterize optimal negotiation strategies under incomplete information; we then design a Bayesian incentive-compatible, privacy-preserving negotiation mechanism—requiring no trusted third party or disclosure of private valuations. The mechanism employs garbled circuits to realize secure two-party computation, preserving the privacy of both parties’ valuations. Contribution/Results: Our automated framework significantly reduces negotiation duration and victim business-interruption costs. It provides a verifiable, deployable, game-theoretic paradigm for ransomware governance—grounded in rigorous modeling of adversarial incentives and cryptographic privacy guarantees. Experimental evaluation confirms its efficacy in balancing efficiency, strategic robustness, and confidentiality.

Ransomware attacks have become a pervasive and costly form of cybercrime, causing tens of millions of dollars in losses as organizations increasingly pay ransoms to mitigate operational disruptions and financial risks. While prior research has largely focused on proactive defenses, the post-infection negotiation dynamics between attackers and victims remains underexplored. This paper presents a formal analysis of attacker-victim interactions in modern ransomware incidents using a finite-horizon alternating-offers bargaining game model. Our analysis demonstrates how bargaining alters the optimal strategies of both parties. In practice, incomplete information-attackers lacking knowledge of victims' data valuations and victims lacking knowledge of attackers' reservation ransoms-can prolong negotiations and increase victims' business interruption costs. To address this, we design a Bayesian incentive-compatible mechanism that facilitates rapid agreement on a fair ransom without requiring either party to disclose private valuations. We further implement this mechanism using secure two-party computation based on garbled circuits, thereby eliminating the need for trusted intermediaries and preserving the privacy of both parties throughout the negotiation. To the best of our knowledge, this is the first automated, privacy-preserving negotiation mechanism grounded in a formal analysis of ransomware negotiation dynamics.