Paying the Ransom: More than 20% Still Do Not Recover Data


May 30, 2023

World map

According to newly published research, 80% of the organizations surveyed decided to pay a ransom demand despite more than half having a “do not pay” policy with regards to ransomware attacks.  

Of the organizations that paid a ransom, 21% were unable to fully recover their impacted data, and 74% reported an increase in their cyber insurance premiums following the attack.

Takeaway: We see again and again that negotiating with criminals who have zero concern for their victims beyond their ability to pay up is no guarantee of a swift or certain resolution to a ransomware attack. It's likely the actual attackers simply do not have the prerequisite skills necessary to undo the damage they inflict - affiliate attackers rent the attack infrastructure, but that does not mean they have either the technical prowess or motivation to assure the victim is returned to a normal operating state.

The debate on whether to pay ransom demands or not has become a contentious issue among experts. The simple answer is that victims should never pay a ransom demand, which would significantly diminish the financial incentives for these attacks. In most circumstances that would be the logical approach, but it may not seem like the right approach for every organization.

For instance, it may be within the risk tolerance of a retailer to refuse a ransom demand even though downtime is costing the organization revenue while recovery efforts are underway. But what about a hospital who urgently requires access to systems where any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is more complicated.

This is why experts are divided on whether organizations should pay ransomware demands. Those who advocate for paying the ransom believe that it's the quickest and easiest way to regain access to valuable data and is the best way to reduce the overall impact of an attack. They argue that the cost of paying the ransom is often lower than the cost of restoring data from backups or the potential financial losses incurred from delayed recovery.

On the other hand, those who oppose paying the ransom argue that doing so only encourages cybercriminals to continue their attacks by reinforcing the financial incentives that drive ransomware attacks.

They point to examples where paying the ransom did not guarantee that the victim's data was restored or cases where the data was corrupted during decryption. They also point out that most victims who paid a ransom demand were attacked again, often by the same threat actor who demands a higher ransom payment knowing the victim is likely to pay.

Additionally, paying a ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Organizations should focus on implementing both preventative and organizational resilience measures to protect their data from future attacks and assure the organization is ready to respond effectively to a ransomware attack. By taking these measures, organizations can reduce the potential impact of a ransomware attack. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.