Ransomware decision-making has become a board-level issue. Data from 2025 shows payment rates and ransom amounts declining, but the real question is whether your organization can recover quickly enough to avoid feeling forced to pay. This guide outlines a pragmatic approach to ransomware readiness and when, if ever, payment should even be considered.
Key Points
- Ransomware payment rates and amounts dropped significantly in 2025.
- The decision to pay should never be made under pressure during an incident.
- Immutable, isolated backups with regular restore testing are the strongest defense against feeling forced to pay.
- Modern attacks use double and triple extortion, stealing data before encryption, so paying rarely eliminates all risk.
- A clear “no-pay” default (with rare, pre-defined exceptions) backed by strong recovery capabilities is the most defensible long-term strategy.
Ransomware groups now function like sophisticated businesses: affiliates deliver the initial breach, operators negotiate with victims, developers maintain the malware, and money launderers move the cryptocurrency proceeds.
However, the trend is shifting. Law-enforcement pressure and tougher enterprise defenses correlate with falling payment rates and lower median payouts in 2025. Only about 23% of ransomware victims paid in Q3 2025, with the average ransom payment near $377K and the median around $140K, both sharply down quarter over quarter.
So, should your company ever pay a ransom? You’ll need a framework that weighs risk, law, finance, and ethics against the facts of this specific ransomware variant.
For most organizations, the working assumption should be not to pay. Narrow exceptions may exist, typically involving immediate risks to life, safety, or critical public services, but those decisions must be made in advance, never in the heat of an active attack.
Modern Ransomware Attacks
Modern ransomware operations almost always involve double extortion: attackers steal sensitive data before encrypting systems. Even if you recover your files, the stolen information can still be leaked or sold. Many ransomware operator groups now target backups and domain controllers to increase pressure, often launching encryption on weekends or holidays to maximize disruption.
Unpatched vulnerabilities, exposed Remote Desktop Protocol (RDP), phishing emails, malicious attachments, and malicious links remain the most common ransomware vectors. Once attackers gain access to a target system or victim’s computer, malware designed for lateral movement and mass file encryption can spread quickly across the operating system.
Ransomware as a Service (RaaS) lowers the barrier to entry, allowing affiliates with limited technical skill to deploy ransomware using commercialized ransomware programs and tooling. From first documented ransomware campaigns to modern ransomware strains like WannaCry ransomware, Maze ransomware, and DarkSide ransomware, recent ransomware attacks show how quickly the ecosystem evolves.
The Ethical Debate: Should You Ever Reward Criminal Behavior?
Law enforcement, FBI, CISA, urges you not to pay the ransom. Payment doesn’t guarantee decryption and does fund the ecosystem. Some payments may even violate sanctions, depending on the ransomware gangs involved. Even when ransomware victims pay the ransom, there is no guarantee attackers will honor the ransom demand or provide a working decryption key.
Yet leaders face trade-offs. Healthcare organizations with life-critical systems, manufacturers with thin margins and high OTIF penalties, and operators of critical infrastructure may judge that a ransom payment limits harm to patients, customers, or public safety.
You can’t outsource that judgment. You can adopt a decision framework and make the variables explicit.
Focused Decision Checklist
Keep the below to one page. In the heat of an active ransomware infection, long checklists create drag.

Prevention Is Still the Best Strategy
Strong ransomware protection combines backups, identity controls, endpoint security software, and rapid isolation of infected systems before attackers can spread encryption broadly. If you only invest in a handful of safeguards this quarter, make them these. Five focus areas consistently determine whether recovery is fast enough to avoid payment.
| Focus area | Key actions | Outcome |
|---|---|---|
| Backups that actually restore | Keep backups immutable and isolated (offline/object-lock). Test full restores quarterly and tune RTO to beat typical ransom-negotiation timelines. | Faster, reliable recovery without paying; limits attacker leverage. |
| Identity & access guardrails | Enforce MFA everywhere; block legacy auth; rotate keys; curb service-account sprawl; monitor for anomalous token use. | Shrinks common entry paths; limits lateral movement and privilege abuse. |
| Exploit hygiene | Patch unpatched vulnerabilities quickly; restrict RDP; watch for brute-force; harden OS baselines; block unsigned executables where feasible. | Reduces initial compromise risk and mass exploitation windows. |
| Detection with response (not just alerts) | Tune EDR/XDR for encrypt-at-scale behavior, canary files, mass-rename detection; drill containment: isolate hosts, disable accounts, revoke tokens in seconds. | Stops active ransomware infections early; shortens dwell time and blast radius. |
| Data minimization & encryption | Minimize sensitive data; encrypt at rest with keys stored separately; label/track sensitive data for fast breach assessment. | Lowers impact of data theft and simplifies legal/regulatory response. |
Be Proactive: Build Your Ransomware Response Plan
So what if this is happening right now? The worst time to make a ransom decision is during an incident.
Instead, you should work with the IT, legal and comms teams to develop a formal ransomware playbook.
Containment Beats Panic
Disconnect infected computers from the network; don’t power down servers unless advised by forensics. Engage incident response vendors, your insurer, and counsel. Notify law enforcement early. The FBI’s position against paying is clear, and reporting gives investigators indicators that help other organizations.
Establish a Single Communication Channel
Assign one exec voice for internal updates and one for regulators and customers. Keep a written log of decisions and evidence, timestamps, file hashes, attacker contact, ransom notes, and any indicators that suggest a particular ransomware variant.
Open your runbook to the section on documented ransomware families you’ve profiled in advance: behavior of Akira, LockBit, Play, RansomHub; known decryption tooling; common lateral-movement paths; typical ransom payment tactics. The IC3 report notes those families among the most active across critical infrastructure.
Cloud, Mobile, and the Long Tail
Mobile ransomware and lock-screen variants still surface, especially through sideloaded apps and malicious software on unmanaged devices. Mobile devices now hold confidential data that once lived only on laptops. Treat them as first-class citizens in your defense plan.
Cloud estates complicate the picture. Ransomware developers target SaaS backup connectors, IAM misconfigurations, and CI/CD secrets to deliver ransomware at scale. Ransomware distribution against object storage often uses mass-delete and retention-bypass tricks rather than classic file encryption. Storage-level immutability, versioning, and MFA delete policies help blunt these moves.
Communicating with Customers
Share what you know, what you don’t yet know, and when you’ll update again. If stolen data includes sensitive data, say so and describe steps to mitigate harm. Avoid “no impact” claims until forensics supports them. You’re protecting brand equity as much as the network.
Insurance: Friend, Not Savior
Cyber insurance sometimes brings pressure to pay the ransom. Clarify your policy terms in advance and rehearse the claims process with your broker through a tabletop exercise. A policy that funds containment and rebuilds changes the pay/don’t-pay calculus in your favor.
Governance that Works
Prep approvals you can run at speed. For high-risk changes, use pre-cleared emergency change windows and dual control for secrets. Push policy into code where possible: golden images, baseline agents, policy-as-code in CI/CD to reduce ad hoc exceptions. The more approvals depend on meetings and manual coordination, the slower containment becomes.
After Action: Improve the System
Forensics should answer how ransomware entered (phishing, exploit, vendor compromise) and how it moved. Validate that ransomware protection controls did what you thought. Feed concrete actions into your backlog with owners, dates, and budget.
One more point on ROI. Chainalysis observed a 35% YoY decline in ransomware payments in 2024–2025 alongside fewer victims paying overall, a sign that investment in resilience pays back.
Many organizations have the right intentions, but limited time to implement and test all of this. External engineering partners can help by:
- Hardening identity, backups, and cloud storage configurations at scale.
- Embedding policy-as-code and security controls into CI/CD pipelines.
- Designing and running ransomware tabletops with your technical and business leaders.
The goal is to compress the timeline from “we know what good looks like” to “we’re actually running that way in production.”
Conclusion
You can’t promise immunity from ransomware. You can make attackers’ jobs harder, shorten recovery, and cut the odds you’ll ever pay.
The moment to choose your stance, and fund recovery speed and data protection, is now, not during a live incident.



