Ransomware: Should Your Business Pay?
- shaun9968
- Jun 3
- 5 min read
The screen goes black. Then a message appears…
“All your files have been encrypted. Pay £500,000 in cryptocurrency within 72 hours or lose everything.”
Your systems are frozen. Your operations are halted. Your team is in panic mode. This isn’t a drill, your business is under attack. You think to yourself, “Is this real? It can’t be happening!”
Sadly, it is! This is the terrifying reality of a ransomware incident. And it’s happening more often and with higher stakes than ever before.
In that moment, with every minute costing you not only money but your reputation, a single, agonizing question arises:
Should we pay the ransom… or fight back?
This blog post breaks down the real-world consequences of both choices, why law enforcement advises against paying, why victims of ransomware do still pay up, and most critically how your business can build the resilience to avoid ever having to face this decision.
What Is Ransomware?
A type of malicious software designed to deny access to a system or data until a ransom is paid, hence the moniker ‘Ransomware’. It can encrypt files, lock devices, or disrupt critical infrastructure. The demand often comes with a deadline, pressuring victims to pay quickly, usually in untraceable cryptocurrency like Bitcoin.
These attacks typically spread via:
Phishing emails with malicious attachments or links
Compromised websites
Exploited software vulnerabilities
Remote Desktop Protocol (RDP) attacks
Ransomware has evolved from opportunistic attacks on individuals to targeted campaigns against businesses, healthcare organizations, local governments, and even entire supply chains.
The Impact on Businesses
The consequences of a ransomware attack can be severe:
Operational Downtime: Employees may be unable to access systems, halting productivity for hours or even weeks.
Financial Losses: Recovery costs, ransom payments, legal fees, and lost revenue can total millions.
Reputational Damage: Customers and partners may lose trust in your ability to safeguard their data.
Regulatory Fines: If personal or customer data is exposed, you may face GDPR or other compliance violations.
The Temptation to Pay
In the chaos following a ransomware attack, paying the ransom might seem like the quickest and easiest route to recovery. It may seem like the most tempting way to end the nightmare quickly. Some attackers even offer "proof" by decrypting a few files to build trust. And when every minute of downtime affects revenue, service delivery, or even public safety, leadership might lean toward payment.
The reality is that some do pay. The costs and time required for investigation while a business is unable to function get to them.
🚫 Four Key (but not the only) Reasons NOT to Pay
No Guarantee of Recovery
Attackers may not provide a decryption key at all. In some cases, the data is irretrievably damaged, or the decryption process fails. If it does, and you have already paid the ransom, there is absolutely no reason they will help you. Then you are out of pocket and have lost your data.
You’re Funding Cybercrime
Every payment strengthens criminal enterprises. The profits are often used to fund future attacks, maybe even on your own business.
You Become a Repeat Target
Once you've paid, you're labelled as a "payer", next time the cyber criminals want to make some cash, you can bet you will be on their list and cybercriminals may return, either for more money or to resell your data.
Potential Legal Risks
Paying certain threat actors, especially those linked to sanctioned countries or terrorist groups, could violate national or international laws.
So… Should You Ever Pay?
The official stance of law enforcement agencies globally is: Do not pay.
This includes the FBI, Europol, and the UK’s National Cyber Security Centre. And ethically, it’s clear: paying fuels the problem.
But in the real world, the situation is sometimes more complex. A hospital, public utility, or transportation provider may determine that paying is necessary to protect lives or maintain essential services. These are difficult decisions, often made under intense pressure.
Whether you give up and pay up or decide to fight – either path can be fraught danger and there is no guarantee that a business will be up and running as it was before.
Paying should be the absolute last resort and this route should only be chosen after consulting legal counsel, cybersecurity professionals, and relevant authorities. This of course takes time, and for a business time is money. See the dilemma?
How Businesses Can Avoid Ever Having to Pay
The best defence is a very strong system defence and excellent business continuity/disaster recovery plan. Businesses must invest in proactive strategies to prevent, detect, and respond to ransomware threats before they cause irreparable damage.
Prevent…
1. Regular, Secure Backups
Maintain frequent backups of critical data and store them offline or in isolated cloud storage. Regularly test restoration processes so you're confident you can recover without relying on cybercriminals.
2. Employee Awareness Training
Most ransomware attacks start with human error. Train staff to recognize suspicious emails, fake login pages, and unsafe downloads. Build a culture of vigilance and openness when it comes to matters of security.
3. Network Segmentation
Divide your IT environment into separate zones to limit how far malware can spread. If attackers get in, they shouldn’t have access to everything.
4. Patch and Update Software
Cybercriminals often exploit known vulnerabilities. Keep all systems, apps, and firmware updated, including third-party tools and IoT devices.
Detect… Respond…
5. Incident Response Plan
Develop and rehearse a ransomware response plan. Define roles, responsibilities, and escalation procedures. The more prepared you are, the faster you can respond. Rehearse that plan regularly and learn from the rehearsals.
6. Implement EDR and MDR Solutions
Modern Endpoint Detection and Response (EDR) tools and Managed Detection and Response (MDR) services provide real-time monitoring and automated threat containment.
7. Get Cyber Insurance
Cyber insurance can help offset the costs of recovery, legal fees, and public relations. But be cautious, not all policies cover ransomware, and some insurers may pressure you to pay. Review your policy thoroughly
Real-World Example:
If you have a device which you can receive the news or have spoken to anyone about/recently been to M&S, you will have no doubt heard of the April 2025 cyber-attack. This was attributed to the hacker group Scattered Spider. The attack disrupted online clothing sales, contactless payments, and other services, potentially impacting operating profits by up to £300 million. The breach was linked to third-party human error, exposing customer data and prompting a class-action lawsuit
Final Thoughts: Rethinking the Ransom
Take Action Today! If ransomware hits, that is the worst time to make a decision… it will be a very high-pressure crisis. Prepare for the worst. Take all the steps you can to Prevent ransomware getting into the business.
If a business is afflicted, despite their best efforts, the question “Should we pay?” should already have been the subject of internal debate. Part of that debate could be:
“Are we prepared to recover without paying?”
“How strong are our defences?”
“Do we have clear policies, backups, and training in place?”
Every step you take today reduces your risk tomorrow. Don’t wait for a ransomware attack to expose your weaknesses. Begin now:
Review your backup strategy
Schedule cybersecurity training
Perform a ransomware tabletop exercise
Audit your insurance coverage
Consult with cybersecurity professionals
Further reading:
M&S Ransomware attack article by Tech Radar:https://www.techradar.com/pro/security/m-and-s-hack-may-have-been-caused-by-security-issues-at-indian-it-giant-tata-consultancy-services?
Tech Radar article, 15 of the biggest ransomware attacks in history:
NCSC guide on Ransomware:
Regola article on Ransomware:
Regola article on the importance of employee training:
Comments