Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Defence

Should I Pay a Ransomware Demand?

Quick Answer

Generally, no. Paying funds criminal enterprises, doesn't guarantee recovery, marks you as someone who pays, and may have legal implications. But this is a business decision that depends on your specific situation. Get expert advice before deciding.

Quick answer: Generally, no. Paying funds criminal enterprises, doesn't guarantee recovery, marks you as someone who pays, and may have legal implications. But this is a business decision that depends on your specific situation. Get expert advice before deciding.

Why You Shouldn't Pay

It doesn't guarantee recovery

Payment statistics vary, but:

  • Many organisations pay and still don't get working decryption keys
  • Some get keys that don't work properly
  • Some get keys and then get re-encrypted
  • Recovery using provided tools is often slow and incomplete
Paying is not a reliable recovery strategy.

It funds criminal enterprises

Your payment funds:

  • More ransomware development
  • More attacks on other organisations
  • Organised crime infrastructure
  • Potentially sanctioned entities
You're financing attacks on others.

It marks you as a payer

Criminal organisations share intelligence. Paying once:

  • Marks you as willing and able to pay
  • Makes you a target for future attacks
  • May result in higher demands next time
Victims who pay are often attacked again.

Legal implications

Sanctions risk: Some ransomware groups are connected to sanctioned entities. Paying may violate sanctions laws.

Regulatory implications: Some jurisdictions restrict ransom payments. This is evolving and may tighten.

Insurance complications: Policies vary on payment coverage and may require specific processes.

It doesn't address root cause

The attackers got in somehow. Paying for decryption doesn't:

  • Remove the vulnerability they exploited
  • Guarantee they're not still in your network
  • Prevent them from attacking again
  • Address data theft that often accompanies encryption

When Organisations Consider Paying

Despite the above, some organisations pay. Situations include:

Life safety: Healthcare organisations where patient care is at risk.

Business survival: Where extended downtime means going out of business.

No viable alternative: Truly no backups, no recovery path, catastrophic impact.

These situations shouldn't exist with proper preparation.

The Decision Framework

If you're considering payment:

1. Assess recovery alternatives

  • What's your backup status?
  • Can you rebuild without paying?
  • How long would recovery take?
  • What's the business impact of that timeline?
Don't pay if you can recover.

2. Understand what you're paying for

  • Are they threatening data publication? (Paying doesn't guarantee deletion)
  • Is it just encryption? (Focus on recovery)
  • Have they exfiltrated data? (Payment doesn't un-steal data)

3. Consider sanctions exposure

  • Which group is it?
  • Are they connected to sanctioned entities?
  • Get legal advice before any payment

4. Involve appropriate parties

  • Legal counsel
  • Cyber insurance (if you have it)
  • Incident response specialists
  • Law enforcement (they recommend against payment but provide intelligence)

5. Negotiate if you do pay

  • Initial demands are often negotiable
  • Proof of decryption capability (test on sample files)
  • Professional negotiators can help
  • Don't pay full amount upfront

What You Should Do Instead

Before an attack

Make payment unnecessary:

  • Immutable, tested backups
  • Incident response plan
  • Business continuity planning
  • Cyber insurance
If you can recover without paying, payment isn't a decision.

During an attack

Focus on:

  • Containment (stop spread)
  • Investigation (how did they get in?)
  • Recovery (can you restore from backups?)
  • Evidence preservation
  • Legal and regulatory obligations
Payment is last resort, not first response.

After recovery

Regardless of payment:

  • Root cause analysis
  • Close the vulnerability
  • Assume they're still inside until proven otherwise
  • Improve defences
  • Document lessons learned

Our Position

We advise against payment. We focus on:

  • Prevention: Controls that stop ransomware
  • Resilience: Backups and recovery capability that make payment unnecessary
  • Response: Expert help if the worst happens
If you're ever in this situation, we help you understand your options—but our goal is ensuring you're never forced into this decision.

---

about prevention and recovery.

---

Related Questions