Should you pay the ransom? What to weigh before deciding
It’s the question every ransomware victim faces under pressure. The honest answer is that paying is unreliable, risky and best avoided — and the best time to make that true is before an attack.
What paying does not buy
- A guaranteed recovery — decryptors are often slow, buggy or incomplete.
- Certainty your data won’t leak — attackers keep copies and may extort again.
- The end of the incident — you still have to find and close how they got in.
- Immunity — organisations that pay are seen as willing payers and targeted again.
Legal and regulatory considerations
Payment can carry legal risk — for example, sanctions rules may prohibit paying certain groups, and regulators may expect notification of the incident regardless. Involve legal counsel and, where relevant, law enforcement early. Never make the decision in isolation under time pressure.
When organisations feel forced to pay
Almost always, it’s because the alternative — restoring from backups — isn’t available: backups were encrypted, never existed, or were never tested. That is a preparation failure, and it’s avoidable.
The way out of the dilemma
- Maintain offline, immutable, tested backups so restoring is a real option.
- Have a rehearsed incident plan so decisions aren’t made in panic.
- Reduce the chance of a successful attack in the first place with strong access controls and testing.
Get these right and the "should we pay?" question largely answers itself: you recover instead.
FAQ
Related questions
Is it illegal to pay a ransom?
It depends on the jurisdiction and the group involved. Payments to sanctioned entities can be unlawful, and regulators may still require incident notification. Always involve legal counsel before considering payment.
If we pay, will we get our data back?
Not reliably. Many who pay receive a decryptor that is slow or only partially works, and stolen data can still be leaked. Payment buys a promise from criminals, not a guarantee.
What is the alternative to paying?
Recovering from tested offline backups, guided by a rehearsed incident-response plan, while closing the entry point the attackers used. Preparation is what makes this the realistic choice.
Keep reading
More guides
-
Ransomware readiness checklist: the controls that matter most
A prioritised checklist to prepare for ransomware — starting with the backups and access controls that decide whether you recover or pay.
Read guide -
Building a ransomware recovery plan that works under pressure
A recovery plan is what turns a ransomware crisis into a procedure. Here’s what belongs in one — and why rehearsal matters.
Read guide