Breach Horizon
incident-response

Should Your Business Pay a Ransomware Demand? The Honest Math

Breach Horizon EditorialMay 19, 202610 min readReviewed by Laurens Vanhaecke

A Decision You Want to Make Before You Need To

Every business gets a different version of the same conversation eventually. Sometimes it happens on a Tuesday morning. Someone in IT can't access shared drives. Then the file server's Windows desktop is a wallpaper with a ransom note. Then your endpoint protection lights up in 30 places at once. Then there's a Bitcoin address and a deadline.

You have between two and seven days. Customer-facing operations are down. Your team is staring at you. Your CFO is doing back-of-the-envelope math on payroll. And someone is going to ask: Should we just pay?

The honest answer is "it depends" — but it depends on specific, knowable variables, most of which you can figure out before you're in the chair. The worst time to think through ransomware policy is at 8 PM on Day 2 of a live incident with the FBI on speaker. The best time is now, while reading this.

This piece is the honest math of paying versus not paying, plus what to do this week to be in a stronger position if it ever happens to you.

The Frame: It's Not a Moral Question

There's a popular framing online that paying ransomware is morally wrong because it funds the next attack. There's truth to this in aggregate — paid ransoms are the operating budget of the ransomware ecosystem — but for an individual small business on Day 2 of an incident, this framing is unhelpful. Your business isn't a policy lever. Your customers don't care whether you paid. Your employees need paychecks. Your CEO needs to keep the business solvent.

The actual question is operational: Can we recover faster, cheaper, and with better outcomes by not paying than by paying? The answer is usually yes, but not always.

The corollary: Are we legally allowed to pay? In 2020 OFAC issued an advisory that paying ransoms to sanctioned entities (which includes most major ransomware groups — Conti, BlackCat, LockBit, etc. were all sanctioned at various times) violates U.S. sanctions law. That isn't a guideline. It's federal law with criminal penalties for willful violations. Some payments are facilitated through specialized firms that handle OFAC screening; those firms are also tightly regulated and not always available.

So before you can even ask "should we pay," you have to ask "are we legally permitted to pay," and the answer often involves your incident response firm, your counsel, and your insurer working together within the first 24 hours.

What Does Paying Actually Get You

Setting moral and legal questions aside, what does a ransom payment actually buy?

Sometimes: a working decryptor. If you pay, the ransomware operator typically sends a decryptor binary. Whether it works at all, how reliably it works, and how fast it decrypts data are highly variable. Mandiant's data from 2023 found that even when decryptors are provided, average data recovery is around 65% — meaning even paid decryption typically loses a third of your data. The other 35% is corrupted in the encryption process, locked behind buggy decryption logic, or simply not recoverable.

Sometimes: a promise to delete stolen data. Modern ransomware is "double extortion" — the attacker encrypts your data AND copies it before encrypting. The second extortion is "pay or we publish your data on our leak site." Paying for "deletion" is paying for a promise from a criminal. Sometimes the data is deleted. Sometimes it's resold to a different criminal group. Sometimes it's published anyway, six months later, when the heat dies down. There is no reliable enforcement mechanism for a promise from someone whose business model is extortion.

Sometimes: speed. A working decryptor can theoretically restore your environment in hours instead of the days or weeks a full rebuild from backups takes. In practice, decryption is slow (often slower than restoration from clean backups), and you still have to forensically determine what was accessed during the dwell time before the encryption kicked off. The "we paid and we were back up faster" stories often skip over the weeks of post-payment incident response that still happen.

What payment does NOT get you, regardless of price:

  • A guarantee that your data isn't already being sold to a different attacker
  • Removal of backdoors the attacker installed during their dwell time (typically 4-9 days before encryption)
  • Restoration of customer trust (your customers care that you were breached, not that you paid)
  • Avoidance of regulatory disclosure requirements
  • A guarantee against re-attack — paid victims are statistically more likely to be re-attacked within 12 months

What Not Paying Actually Costs

The alternative — declining to pay and recovering from backups — is usually the better path, but it's not free. The realistic cost line items:

Downtime. This is the biggest variable. A well-prepared business with tested backups can be operationally restored in 5-14 days. A poorly-prepared business can take 4-8 weeks, and sometimes never fully recovers — about 60% of small businesses hit by ransomware close within 6 months of the incident according to the National Cyber Security Alliance.

IR firm fees. A typical incident response engagement with a top-tier firm runs $50K-300K for a small business, depending on environment complexity. Mid-tier firms run $25K-100K. This is non-optional if you want to know what data was accessed and how to close the holes — without it you'll get re-attacked.

Legal counsel. Privacy counsel + breach notification counsel typically costs $20K-100K for a small business. They handle the regulatory mosaic — different states have different notification laws, federal sector-specific rules (HIPAA, GLBA, etc.) apply where applicable, and your cyber insurance may require specific counsel.

Customer notification. Your obligation depends on what data was accessed. Notifying 5,000 customers via certified mail with credit monitoring runs $50K-150K. If you're regulated (healthcare, financial services, education), the bar is even higher.

Lost business. Downtime revenue loss varies wildly by business model. A services business with billable hours loses every hour roughly proportionally. An e-commerce business loses peak hours disproportionately. Average revenue loss across SMB ransomware incidents is around $120K-300K, but the distribution is bimodal — most lose less than $100K, some lose over $1M.

Recovery hardware and software. Rebuilding endpoints from scratch, sometimes replacing hardware that can't be safely sanitized, replacing licenses. Typically $20K-80K for a small business.

Even at the low end, the all-in cost of NOT paying is rarely below $100K for a small business that's been hit. The high end can exceed $500K. This is why ransomware operators set their demands where they do — they know the comparison cost.

When Paying Genuinely Makes Sense

Paying makes operational sense in a narrow set of circumstances:

  1. Critical patient/safety data with no backups. A medical practice with patient records and no off-site backups, where the patients' immediate care depends on records access, may face a true emergency. (Practices with this exposure have a deeper problem to address, but the immediate question is real.)

  2. Insurance carrier has greenlit and is paying. If your cyber insurance carrier has done OFAC screening, engaged a payment facilitator, and is willing to pay on your behalf, you're not making the decision — your insurer is. The math has already been done by their incident response team and they've concluded payment is the cheaper path. Most modern policies do not pay ransom directly, but some legacy and specialty policies still do.

  3. Provable double-extortion of highly sensitive data, paying for deletion of THAT specific data. Rare but real: if the attacker has provably exfiltrated data whose public exposure would be catastrophic (legal privilege, trade secrets, etc.) and your counsel believes payment increases the probability of non-disclosure, payment might be considered. This is a counsel-led decision, not a technical one.

In all three cases, the payment is processed through an OFAC-compliant facilitator, not directly. Direct cryptocurrency payments to sanctioned entities are how businesses end up in federal trouble in addition to the breach.

When Paying Absolutely Doesn't Make Sense

The much more common case — where paying is just wrong on multiple axes:

  1. You have working backups. If your backups are tested, immutable, off-network, and recent, paying is paying to skip a 5-14 day restoration window in exchange for an unreliable decryption tool that may take just as long. The math doesn't work.

  2. The attacker is sanctioned. OFAC compliance isn't optional. If the threat actor group is on the sanctions list (which most of the major groups are or have been), payment exposes you to additional federal liability — adding to the operational disaster, not subtracting from it.

  3. The demand is small relative to data sensitivity. A $30K demand for the keys to a customer database with regulated PII is often a test. Paying signals to other attackers that your business pays. Multiple re-attacks within months are common. The downstream cost of being known as a payer typically exceeds the savings from the initial payment.

  4. You haven't yet talked to the FBI. The FBI does not require victims to refuse payment — but they do have intelligence on the specific group attacking you that you don't have. Sometimes a group is known to provide non-functional decryptors. Sometimes a free decryptor exists (No More Ransom maintains a public database). Calling the FBI within the first 24 hours costs you nothing and often saves the payment.

What to Do This Week — Before You're in the Chair

The single highest-leverage prep work for ransomware is happening before there's a ransom note on a screen. The list:

1. Get cyber insurance. Even a minimal $1M policy puts you in contact with a 24/7 incident response retainer. The IR firm — not your IT person, not your MSP — is who you want making the early calls during a live incident. The insurance is almost always cheaper than going without when the day comes.

2. Test your backups. Specifically: do a full restore drill at least twice a year. Time it. Note what worked and what didn't. If your backups are on-network or the backup credentials are accessible from the production environment, you don't really have backups — modern ransomware groups specifically target backup systems before encrypting. Use immutable storage (S3 Object Lock, Wasabi immutable buckets, Azure immutable blobs) for at least one copy.

3. Pre-engage an IR firm. Even without an active retainer, get on a phone call with one IR firm and one privacy counsel. Get their numbers in a printed binder, not just in your email. When the incident hits, your email may be inaccessible.

4. Write the IR runbook. Six pages, in plain English. What's the call sequence? Who calls the insurer? Who calls the FBI (ic3.gov, local FBI field office)? Who notifies the board? Who's the single spokesperson for customers? Print it. Put it in the binder.

5. Run the Breach Horizon Exposure Report and the Ransomware Cost Calculator. The Exposure Report shows the gaps that ransomware groups typically exploit (weak external surface, missing email auth, unmonitored remote access). The cost calculator models your specific business's downtime exposure so you have a baseline number to compare against during a live incident.

6. Practice the table-top. Once a year, sit your leadership team in a room for two hours and walk through a ransomware scenario. "It's 10 AM. Our file server is encrypted. The note says $250K in 5 days. Go." See where the decisions get stuck. Fix the runbook.

Final Word

The "should we pay" question feels like a moral one in the abstract and becomes a brutally operational one in the moment. The framing that helps most: you're not deciding whether ransomware groups should exist. You're deciding whether paying maximizes the probability that your specific business comes through the incident intact.

For most small businesses, the answer is no — and the reason is that with reasonable preparation, the cost of recovering without paying is lower than the cost of paying plus the cost of the downstream consequences (re-attack risk, regulatory exposure, customer trust). Reasonable preparation includes immutable off-network backups, cyber insurance, an IR firm on speed-dial, and a one-page runbook.

If you're reading this and you haven't done that prep yet, the day to start is today. The day you actually need it is, by definition, the day you wish you'd started sooner.

Run the Exposure Report, model your downtime cost with the Ransomware Calculator, and put the IR firm and your insurer on a sticky note where you can see it. The next 30 minutes of work is the cheapest insurance you'll buy this year.

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.