Ransomware: Should you pay?

David Reed

AVP, Cyber Risk Engineer

There is no universal answer to the ransomware question, but there is a responsible decision framework.

The best ransomware decision is made before ransomware happens. When an attack occurs, having tested backups, containment capability, and a response plan transforms the moment from crisis into choice.

The uncomfortable realities

Payment does not guarantee decryption, and that single fact changes everything. Threat actors often fail to deliver working keys, demand additional payments, or disappear entirely. Even when decryption succeeds, it is only a partial fix. The stolen data remains a separate issue, and paying offers no assurance it will be deleted; in some cases, attackers still leak data to bolster their reputation.

Recovery also rarely ends with decryption. Organizations typically must conduct full forensic investigations, remove malware, and rebuild systems to eliminate persistence and prevent reinfection. On top of that, legal and sanctions risks cannot be ignored. Ransom payments may violate regulations depending on the attacker’s identity, exposing organizations to penalties. For these reasons, decisions about payment require coordinated input from legal, insurance, and cybersecurity experts.

The decision framework

When ransomware strikes, responsible organizations ask seven questions in parallel:

Can tested backups restore fast enough?

If you have recent, verified backups stored offline, the decision shifts dramatically. Recovery time becomes the metric. Can you restore to full operations in hours or days using backup data? If the answer is yes, paying never makes sense. Backup and restore is faster, cheaper, and free from the uncertainties of dealing with criminals. Many organizations discover during ransomware that their backup strategy has gaps, that incremental backups are too recent to be useful, or that restores have never been tested. This is precisely why testing is non-negotiable before an attack.

What is the scope of encryption and spread?

Ransomware that affects a single department or system is a different problem from full environment encryption. Scope determines both the cost of downtime and the feasibility of containment. Has the attacker accessed domain controllers? Backup systems? Critical manufacturing equipment? A localized infection may be recoverable through isolation and selective restoration. Global encryption that touches every system demands faster, broader intervention.

Was data stolen, and what type?

Determine whether the attacker accessed unencrypted data before encryption began. If they exfiltrated customer data, payment records, proprietary information, or personally identifiable information, you face mandatory breach notification, regulatory reporting, and potential liability regardless of whether you pay. The data risk cannot be paid away. Forensics and threat intelligence teams need to understand the scope: what was taken, from where, and whether evidence of deletion exists.

What is the cost of downtime per day?

Calculate the direct cost of operations halted: lost revenue, failed commitments, supply chain disruption, employee productivity loss. For critical infrastructure, hospitals, or manufacturing, this number is large quickly. It provides a ceiling: if daily downtime exceeds the ransom demand, the financial argument for payment becomes more plausible. For knowledge workers or non-critical systems, downtime costs are typically far lower than the ransom. This number should inform strategy but not dictate it.

What are contractual and regulatory obligations?

Some contracts require notification within 24 hours. Some regulations mandate preservation of evidence and chain-of-custody for forensic work. Some require breach reporting to regulators. Paying a ransom may interfere with these obligations. Paying may trigger your cyber insurance policy in ways that help or hinder. An organization bound by EU regulation may face GDPR penalties for failure to secure data independently of ransom decisions. Consult legal and compliance counsel before moving forward.

What role should cyber insurance play?

Cyber insurance does not make the decision for you, but it can structure the process. A reputable policy may provide breach response counsel, forensics and incident response support, negotiation expertise, and business interruption coverage. Those resources help you assess sanctions risk, preserve evidence, validate whether a decryption key is likely to work, and understand the financial trade-offs. The insurer helps gather facts and coordinate experts; the final choice remains yours.

What options already exist before the attack?

The most important ransomware decision is made months before an attack occurs. Tested offline backups, documented recovery time objectives, strong identity controls, privileged access management, segmentation, incident response readiness, and effective detection and monitoring all create options when the moment arrives. Organizations with these capabilities can respond with confidence. Those without them face terrible choices.

The bottom line

There is no universal answer to whether you should pay a ransom. The responsible answer depends on your backups, your data exposure, your downtime costs, your legal and regulatory context, your insurance coverage, and the specific facts of your attack.

What is universal: organizations with tested backups, containment capability, and a response plan never face desperation. They face a decision with options. Those are the only decisions worth making in advance.