Recently, I was engaged to help a company that had fallen victim to a ransomware attack. They were in a bind—limited backups and no way to restore their customer data. After countless meetings, agonizing negotiations, and faced with an exorbitant ransom, the company made the very difficult decision not to pay. Instead, they spent months recreating customer information and rebuilding their infrastructure in line with IT and cybersecurity best practices.
While they avoided paying the attackers, the cost of recovery was steep—both financially and reputationally. It was a stark reminder of how devastating a ransomware attack can be, whether you decide to pay or not.
This experience got me thinking deeply about ransomware payments and why they are such a difficult decision for organizations today. Ransomware attacks have evolved into one of the most damaging cybersecurity threats, and they show no signs of slowing down.
The Shift: From Individuals to Organizations
Just a few years ago, ransomware attackers were primarily targeting consumers, demanding a few hundred dollars to unlock personal devices. Today, the stakes are much higher. Attackers now target well-established organizations, and instead of a few hundred dollars, they’re asking for tens of millions. One prime example is the Colonial Pipeline attack in 2021, where a $4.4 million ransom was paid to restore critical U.S. fuel supply operations.
In fact, the average ransom demand more than doubled in 2023, with payouts now reaching over $1.5 million on average. This steep rise in ransom demands has left many companies, including critical infrastructure providers, at the mercy of cybercriminals.
Double Extortion: The New Norm
Gone are the days when attackers merely encrypted your files. Now, they engage in double extortion—encrypting data while simultaneously stealing it. If the ransom isn’t paid, they threaten to release sensitive information publicly or sell it on the dark web. The CNA Financial attack in 2021 is a striking example of this, where attackers not only encrypted systems but also exfiltrated data. The company ended up paying a whopping $40 million to resolve the incident.
Legal Complexities: Paying Might Be Illegal
It’s not just a question of whether you should pay. In some regions, paying a ransom might be illegal. Governments like the U.S. and the U.K. have begun cracking down on payments, particularly when they could end up in the hands of sanctioned entities or terrorist groups. Organizations must navigate this tricky legal landscape before deciding on their course of action.
Why More Organizations Pay Than You Think
Despite the risks, more organizations pay ransoms than is publicly acknowledged. Companies often fear reputational damage, customer loss, or even legal consequences for disclosing their payments. This leads to many quiet payouts, where the ransom is handed over in secret, and life (seemingly) returns to normal.
When Paying May Seem Inevitable
In some cases, the consequences of not paying are too severe. Consider the JBS attack, where the global meat supplier paid an $11 million ransom to restore operations. Critical sectors like healthcare and infrastructure often see no choice but to pay to prevent loss of life or catastrophic service disruptions.
There have been incidents where organizations faced potential loss of life if services were not restored in time, such as ransomware attacks on hospitals. For these organizations, the risks of not paying are just too high, even though the decision to pay can have serious ramifications down the line.
Paying Doesn’t Guarantee Success
One of the biggest risks of paying is that there’s no guarantee the attackers will keep their word. Research shows that 30% of organizations that paid the ransom never received a decryption key. Worse yet, paying could make you a target for future attacks since it signals you’re willing to hand over money.
Prevention Is Better Than Cure
So, what’s the best solution? Prevention. Organizations must focus on proactive defense measures. While it is impossible to list every possible control that should be implemented (think virtually everything under cybersecurity), the following measures are key to mitigating ransomware risk:
- Modernize your Identity and Access Management and invest in both strong authentication and authorization
- Protect corporate endpoints and BYOD by enforcing secure configuration and requiring Endpoint detection and response (EDR)
- Identify and remediate vulnerabilities
- Monitor for signs of compromise on your infrastructure
- Restrict data flow into and out of critical systems
- Make and test your backups
- Regular security training for employees
- Check your cyber insurance policy coverage
- A solid incident response plan is crucial to mitigate the damage from an attack and reduce the likelihood of paying a ransom.
What Would You Do?
At the end of the day, the decision to pay or not is incredibly tough, and there’s no good outcome—just bad ones to choose from. Whether your organization chooses to pay or not should be a decision made at the highest levels, with the input of legal counsel and cybersecurity experts.