43%
of SMBs that pay or fail to recover close within 6 months of a ransomware attack
$247K
average ransomware demand against SMBs in 2025, up from $170K in 2024
53%
of organizations hit by ransomware recovered within one week in 2025 — up from 35% — with preparation as the differentiator
80%+
of organizations that pay receive a working decryptor, but 46% are hit again within a year

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The ransomware payment question arrives at the worst possible moment: systems are down, leadership is panicking, lawyers are on hold, and a countdown clock is running on a dark web leak site. Every organization that has thought through this decision in advance makes better choices than those improvising under pressure.

This framework does not tell you to pay or not pay. It gives you the specific questions to answer — in order — that determine whether payment is legally permissible, whether it makes operational sense given your backup state, and what the process looks like if you decide to proceed. Work through it before an attack if possible. If you are in an active incident, start at question one.

Step 1: Establish legal clearance before any payment

The most dangerous error in a ransomware incident is sending cryptocurrency to a sanctioned entity without knowing it. OFAC (the Office of Foreign Assets Control) maintains a Specially Designated Nationals list that includes several ransomware groups — paying them is a federal violation regardless of intent, with civil penalties up to $1 million per transaction and potential criminal liability.

Before authorizing any payment, your legal counsel or incident response retainer must answer: Is the ransomware group attributed to a sanctioned entity? CISA, FBI, and commercial threat intelligence platforms maintain current attribution. Groups including ALPHV/BlackCat (before takedown), Lockbit, and several North Korean-attributed operations have had OFAC exposure. Attribution is not always certain in the first 24 hours. When it is uncertain, payment carries risk and OFAC has made clear that due diligence is expected.

If legal clearance is established, document the diligence in writing. Insurance carriers and regulators will ask for it.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Step 2: Assess your actual backup and recovery position

The honest answer to 'should I pay?' depends almost entirely on whether you can recover without paying. Organizations systematically overestimate their backup reliability at the moment of a ransomware incident.

Ransomware operators spend an average of 11 days in a network before deploying encryption. During that time, they identify and eliminate backup infrastructure. They delete VSS (Volume Shadow Copy Service) snapshots, encrypt backup repositories they can reach, and in many cases exfiltrate data before encryption so they have double-extortion leverage even if you restore successfully.

Answer these questions honestly before concluding you can recover independently.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Step 3: Engage your cyber insurance carrier immediately

If you have cyber insurance, your policy almost certainly has notification requirements with tight timelines — commonly 24 to 72 hours from discovery of a security event. Missing this window can void coverage.

Insurance carriers have established processes for ransomware incidents: they assign a breach coach (a law firm on retainer), an incident response firm, and often a ransomware negotiation specialist. These resources are covered under your policy. Using them is not optional if you want your claim to be paid.

The insurance carrier's ransomware negotiator serves two purposes: they verify the threat actor's decryption capability before any payment is authorized (testing decryptors on sample files), and they negotiate the demand down — typically achieving reductions of 30 to 60 percent from the initial demand through established back-channel relationships.

If you do not have cyber insurance, commercial ransomware negotiation firms (Coveware, GuidePoint Security, Arctic Wolf) offer these services independently and are worth engaging before making any payment. Their negotiation success rates and demand reduction outcomes are materially better than unassisted negotiation.

Step 4: The decision matrix

With legal clearance established, backup state assessed, and insurance engaged, the decision matrix becomes relatively clear.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Step 5: If you proceed with payment

The mechanics of ransomware payment require cryptocurrency (almost always Bitcoin or Monero) and carry their own operational complexity. Organizations that have never purchased cryptocurrency before face a 12 to 48 hour delay establishing accounts and acquiring funds — factoring into any negotiation timeline.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The ransom payment question is not a yes/no binary — it is the output of a checklist that starts with legal clearance, moves through backup reliability, runs through insurance notification, and ends at a decision matrix weighted by your specific operational and financial exposure. Organizations that work through this framework in advance, document a pre-authorized decision process in their incident response plan, and maintain relationships with a cyber insurance carrier and incident response retainer make consistently better decisions than those encountering each question for the first time at 2 AM. The one consistent truth across every ransomware case: paying does not end the threat, and recovering without paying is always the better outcome when your backup state makes it genuinely achievable.

Frequently asked questions

Does the FBI recommend paying ransomware?

The FBI does not recommend paying ransomware demands, stating that payment encourages further attacks and does not guarantee data recovery. However, the FBI also acknowledges that individual organizations must weigh the risks and make their own decisions, and recommends filing a complaint regardless of payment decision. The FBI's IC3 can provide guidance and resources during an active incident.

What is the OFAC risk in paying ransomware?

OFAC (Office of Foreign Assets Control) prohibits payments to sanctioned entities, including several ransomware groups affiliated with sanctioned nations or organizations. Violations carry civil penalties up to $1 million per transaction and potential criminal liability. OFAC has published guidance stating that organizations should conduct due diligence on threat actor identity before any payment, and that voluntary disclosure of potential violations can reduce penalties significantly.

How much can ransomware demands be negotiated down?

Professional ransomware negotiators typically achieve demand reductions of 30 to 60 percent from the initial ask. Success depends on threat actor group (some groups have established negotiation processes, others do not), the victim's demonstrated financial position, and timeline pressure. Negotiation through a professional firm rather than direct organization-to-threat-actor communication consistently produces better outcomes.

What happens if I pay but the decryptor doesn't work?

Working decryptors are delivered in approximately 80 to 85 percent of ransomware cases where payment is made. When decryptors fail or perform poorly, the incident response firm handling the case should escalate directly with the threat actor — most ransomware groups maintain decryptor support because their business model depends on reputation for delivery. If the decryptor is completely non-functional, some cyber insurance policies cover the residual recovery costs.

Sources & references

  1. FBI Ransomware Guidance: Internet Crime Complaint Center
  2. OFAC Advisory on Ransomware Payments
  3. CISA Ransomware Guide
  4. Infrascale 2026 Ransomware Recovery Playbook for SMBs

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.