When ransomware hits, one of the most critical and controversial questions you’ll face is whether or not to pay the ransom. It’s a decision that sparks strong opinions, especially in the headlines. But for the companies actually living through an attack, the answer is rarely black and white.
Why “We’ll Never Pay” Might Be an Oversimplification
Many organizations say upfront that they’ll never pay a ransom. It’s a principled stance, and in a perfect world, it’s the right one. But it’s also usually made before they’ve experienced the real-world impact of a ransomware event.
Cyberattacks happen daily, and many never go public. In AON’s incident response experience, 60% of their clients end up paying a ransom. That’s hundreds of businesses, just from their firm alone, not counting the dozens of other forensic teams responding to incidents every day.
And nearly every time, the payment decision comes down to a business calculation.
A Business Decision, Not a Moral One
Consider this scenario:
- Your company brings in $50,000 a day in revenue.
- You can recover from backups, but it’s going to take 3 weeks to fully restore operations.
- The ransom demand is $500,000.
Doing the math, three weeks of downtime could cost $1,050,000 in lost revenue, more than double the cost of the ransom. That doesn’t even factor in reputational damage or customer churn.
In these cases, paying becomes less about principle and more about survival. It’s a hard call, but often a practical one.
What You’re Really Paying For
When a company chooses to pay, it’s not just about regaining access to encrypted systems. Increasingly, threat actors are also exfiltrating sensitive data and threatening to leak it if payment isn’t made. The ransom may be:
- A decryptor key to restore operations
- A guarantee (as much as you can trust it) that stolen data won’t be published
- A way to mitigate legal or regulatory exposure if protected data is involved
The Long-Tail Impact of a Cyber Attack
The costs of a ransomware incident extend far beyond technical recovery:
- Customer trust: Downtime can push customers to your competitors.
- Reputation: A breach can shake stakeholder confidence for months, or years.
- Business continuity: Even with backups, recovery takes time, labor, and planning.
The ransom itself may be one of the smaller financial components when you tally up the total cost of a ransomware attack.
Decide Before It Happens
The best time to decide whether you’re willing to pay a ransom isn’t when your systems are encrypted and your team is in panic mode, it’s before an attack ever happens.
Here’s what we recommend:
- Talk with your executive team about where your organization stands.
- Run tabletop exercises to explore worst-case scenarios and potential response decisions.
- Understand what cyber insurance will and won’t cover.
- Work with outside counsel to understand legal and regulatory implications of either choice.
This is not an easy decision, and it shouldn’t be made on the fly. Planning ahead gives you the clarity and confidence you’ll need if the worst ever happens.
Talk to Aldridge today to help you assess your ransomware risk, build a response plan, and walk through the scenarios that matter most to your business. Take advantage of our free Security Incident Response Template to help your team get started.
Let’s make sure you’re ready for whatever comes next.
