Marilyn Wilkinson, November 2023

When Ransomware Strikes, Should You Pay the Ransom?

Table of contents

Newsletter

This field is for validation purposes and should be left unchanged.

When Ransomware Strikes, Should You Pay the Ransom?

ICBC, the world’s largest bank, was recently hit by ransomware. In a major attack that disrupted business operations and treasury markets, the Chinese bank ended up temporarily owing the Bank of New York Mellon $9 billion. So, what did they do? They paid the ransom.

This raises the question, what if this happened to your company? Would you pay to restore your data and operations? It’s a tough decision. 

Read on to find out which factors you should consider, why paying the ransom is no guarantee you’ll get your data back, and what to do instead. 

Should You Pay the Ransom? Key Factors to Consider

In the event of a ransomware attack, deciding whether to pay is complex and depends on your specific situation and how well-prepared you are. Does your company have a comprehensive Incident Response Plan? What about adequate ransomware protection?

The right tools can make the difference between being forced to pay millions of dollars, and not having to pay a penny. CryptoSpike from ProLion provides a last line of defense that detects and blocks ransomware attacks in real-time at the file storage level. When attackers strike, you can easily detect the unusual activity and restore the files you need.

Having a last line of defense is your best chance of not paying the ransom. Other factors also play a role, though. Follow these steps to aid your decision-making:

  • Verify the data breach

Fake ransomware is becoming more common. Before paying anything, make sure the hack is real. If hackers claim to have your data, ask for proof. Don’t pay based on empty threats alone. 

  • Understand the type of attack and potential impact

There are many different types of ransomware attacks. Some “only” steal your data and demand a ransom for its safe return, whereas others threaten to leak confidential information. 

The damage from so-called leakware attacks can have serious legal implications and damage your reputation, even if you are able to restore your data via other means.  

Therefore, understanding the full extent of an attack’s impact is crucial in determining your response.

  • Investigate the hacker’s reputation

Hackers are not exactly renowned for being trustworthy, but some are worse than others. 

Some ransomware groups are known for not releasing data even after payment, or providing broken keys or decryptors that don’t work. So, make sure you know their history. 

It’s also important to check if the malicious actor has been sanctioned. If they are considered a threat to national security interests, paying a ransom to them could be illegal and result in a penalty. 

  • Check backup availability

Does your company have complete backups of the affected data? Are you able to detect which files are encrypted and restore only the files you need? If so, paying the ransom may not be necessary. Reliable backups can eliminate the need for a decryption key, because you can restore the data yourself—at least in theory. 

In practice, backups are often forgotten about, remediation hasn’t been tested, and companies are unable to restore files individually, so there are many cases of backups not being enough to resolve a ransomware attack. 

  • Review your insurance coverage

If your cyber liability insurance covers ransomware incidents, you might be able to pay the ransom without too much loss to your company. 

However, due to the rise in ransomware attacks, insurance providers have started to increase premiums and exclude ransomware payments. In some cases, paying the ransom can invalidate your insurance. Therefore, be aware of the limitations and conditions of your policy. 

  • Check official guidance from your country’s authorities

Law enforcement authorities generally advise against paying ransoms. If you have been affected by ransomware, you should contact the authorities in your country for further guidance:

United States: Victims of ransomware attacks can report the incident to the FBI, CISA, or the U.S. Secret Service. They only need to report the incident once and all the other agencies will be notified.

United Kingdom: National Cyber Security Centre (NCSC) 

Germany: Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) 

Don’t Pay the Ransom: Here’s Why

Whether you ask the FBI, a cybersecurity expert, or pretty much anybody, the usual advice is not to pay the ransom. Let’s explore in detail why paying is usually not recommended, and when to make an exception.

  1. No guarantees of data recovery or confidentiality 

Only 8% of organizations actually get all their data back when they pay the ransom. This means that even after paying, there is a very real risk that your data will be lost forever, or worse, leaked. Ultimately, once the hackers have your money, they can do what they want. 

  1. Risk of repeat attacks

80% of companies who pay are likely to be targeted again. Hackers perceive paid ransoms as a sign of weakness, making your organization a recurring target. 

  1. High cost of ransom payments

Let’s be honest: ransomware payments aren’t cheap. It’s not unusual for ransoms to be in the tens or even hundreds of millions. The average cost of ransom payments is $740,000 but in countries like the U.S. and the U.K., and large enterprises, this figure can be significantly higher. 

  1. Ransomware fuels terrorism and cybercrime

Paying a ransom funds the broader ransomware industry, supporting cybercrime, terrorism and other malicious activities. Such payments raise significant legal and ethical concerns, as they finance criminal operations and allow global threats to flourish.

  1. Ransomware payments aren’t illegal, but they could be soon

Currently, paying a ransom is only illegal if it involves paying someone on the sanctions list of the Office of Foreign Assets Control (OFAC) or equivalent in your country. 

However, this could be set to change soon as the authorities seek to crack down on cyber attacks. As part of The International Counter Ransomware Initiative, 40 countries including the U.S. are planning to sign a pledge never to pay ransom to cybercriminals. 

You Might Need to Consider Paying the Ransom, If…


In some specific instances, there are arguments in favor of paying the ransom. 

If you urgently need access to your data, don’t have reliable backups, and human safety is at stake, paying the ransom might be your only option. 

For example, oil pipeline Colonial Pipeline paid hackers $4.4 million in 2021 to restore operations. The decision went against FBI and Department of Homeland Security guidance, but the CEO testified before the U.S. Congress that it was necessary due to the severe risk to the country’s fuel supply. 

Nonetheless, the solution remains controversial, and there is a better way. 

Prevent Ransomware With ProLion

To be frank, if you’re not prepared for a ransomware attack, there is no ideal outcome. You lose your data if you don’t pay, and there are no guarantees even if you do. The best solution is prevention to avoid a ransomware attack occurring in the first place. 

Cryptospike from ProLion detects and blocks suspicious activity in real-time. In the event of an attack, the granular restore function enables you to restore the files you need immediately.

Learn more about CryptoSpike, the leading ransomware solution, or book a call to discuss your security needs with our team.