The Payment Dilemma
When ransomware encrypts your systems and criminals demand payment, you face one of the most difficult decisions in cybersecurity. There's no universally correct answer—the choice involves legal, financial, ethical, and operational considerations that vary for every organization.
This guide examines both sides of the argument and helps you prepare a decision framework before you ever face this situation.
Arguments Against Paying
The case against payment is compelling from multiple angles.
Financially, paying ransom funds criminal enterprises and provides no guarantee of successful decryption. Organizations that pay often become repeat targets because attackers know they'll pay again. Each ransom payment encourages future attacks on other victims and frequently exceeds what insurance will cover.
Legally, payment may violate sanctions laws, particularly OFAC regulations prohibiting transactions with specific countries and criminal groups. Regulatory penalties are possible in many jurisdictions, and the payment itself may constitute facilitation of money laundering. Some industries face explicit prohibitions against ransom payments.
Operationally, decryption keys are often unreliable even when attackers provide them. The decryption process itself can take days or weeks for large environments, sometimes making recovery from backups faster anyway. Payment doesn't resolve the underlying security breach that enabled the attack, and it doesn't prevent attackers from publishing stolen data—they may do so regardless.
Ethically, every payment funds ongoing criminal operations and enables attacks on future victims. Organizations that pay perpetuate the ransomware business model that makes these attacks profitable.
Arguments For Paying
Despite these concerns, some situations make payment the least-bad option.
Financially, recovery costs sometimes exceed the ransom amount, particularly when extended downtime threatens business survival. Insurance policies often cover ransom payments and provide negotiation support. Skilled negotiators frequently reduce demands significantly, and in some cases, downtime costs so vastly exceed the ransom that payment becomes economically rational.
Operationally, backups don't always work—they may be compromised, incomplete, or simply too slow to restore before the business fails. When business continuity is critical and alternatives don't exist, payment may be the only path to survival.
For data protection, payment may prevent publication of sensitive stolen data, though this relies entirely on criminal honor—a shaky foundation. Some attackers do delete stolen data after payment, but there's no enforcement mechanism if they don't.
Pre-Attack Decisions
The worst time to make ransom decisions is during an active attack when stress is high and time is short. Organizations should establish their framework in advance.
Review your insurance policy to understand whether it covers ransom payments and under what conditions. Determine the maximum amount your organization could afford to pay if necessary. Consult legal counsel about which jurisdictions apply to your situation and what regulations constrain your options.
Critically, establish who has authority to make payment decisions. This typically involves executive leadership, legal counsel, and the board for significant amounts. Identify in advance who would handle ransom negotiations—whether internal staff, external specialists, or insurance-provided resources. Finally, decide your approach to law enforcement. Reporting is legally required in most jurisdictions, and FBI cooperation can provide valuable intelligence about specific threat actors.
Payment Considerations Checklist
When facing an active attack, work through these questions systematically:
- Can you recover from backups without paying?
- How long does recovery take versus business impact of downtime?
- What is the estimated ransom demand?
- Does your insurance policy cover it?
- What are the legal implications in your jurisdiction?
- Are there OFAC or sanctions concerns with the attacker?
- Will sensitive data be published if you don't pay?
- Can the ransom likely be negotiated lower?
- Who has authority to approve payment?
- What is law enforcement's position on this specific case?
Understanding Ransom Economics
The numbers help contextualize these decisions. Average ransom demands in 2024 range from $5 million to $15 million, though median demands fall between $250,000 and $600,000—reflecting that a small number of very large demands skew the average.
Approximately 30-50% of ransomware victims pay, depending on the study. Of those who pay, 60-80% successfully decrypt their data, meaning a meaningful percentage pay and still don't recover.
The trends are concerning: demands increase annually, double extortion (pay or we publish your data) has become standard, attackers increasingly target high-revenue organizations, and negotiation tactics grow more sophisticated.
The Reality of Negotiation
Most ransomware attacks involve negotiation rather than simple payment of the initial demand. An attacker demanding $10 million may ultimately accept $1-2 million. Specialized negotiation firms handle these conversations, often with guidance from law enforcement who may have intelligence about specific threat actors.
Negotiation timelines range from days to weeks, during which systems remain encrypted and business operations suffer. This reality factors into the total cost calculation.
Government and Industry Guidance
The US government, through the FBI, recommends against payment. Payment may violate sanctions if attackers are connected to sanctioned foreign entities. The FBI encourages reporting and provides investigation assistance, but their official guidance remains: don't pay, and work with law enforcement instead.
European guidance varies by country but generally discourages payment while requiring escalation to law enforcement. GDPR adds complications when ransomware involves personal data breaches.
The insurance industry presents a more nuanced position. Many policies cover ransom payments and provide incident response support including negotiation assistance and recovery resources. Insurers have financial incentives to minimize total loss, which sometimes means supporting payment if it reduces overall claim costs.
Making the Decision
Ransom payment is ultimately a complex risk decision involving financial cost-benefit analysis, legal compliance requirements, insurance policy terms, operational impact assessment, and ethical considerations. No formula provides the right answer for every situation.
The best practice is ensuring you never face this decision: maintain robust, tested, offline backups so you can recover without paying. Prepare your decision framework in advance with legal and insurance consultation. If attacked, report to law enforcement immediately and don't pay without careful analysis of all factors.
Organizations with comprehensive backup strategies and tested recovery procedures rarely face genuine payment decisions—they simply restore and move forward. That preparation is the best ransomware defense.