Ransomware: Pay or Don’t Pay? A Guideline for Ethical Decision-Making

Ransomware: Pay or Don’t Pay? A Guideline for Ethical Decision-Making

In February 2021, CD Projekt Red revealed that it had been the victim of a ransomware attack. However, the company made no ransom payments, stating that critical personal data wasn’t at risk. In May, the Colonial Pipeline suffered a ransomware attack that affected 5,500 miles of pipeline, leading to a disruption of nearly half of the East Coast fuel supply. Less than 72 hours into the ransomware attack, the Colonial Pipeline paid about €5 million to restore its services. These events highlight the two sides of the ransomware payment debate.

While the FBI clearly states that it does not support companies paying the ransomware, it’s often a difficult decision. Each ransomware attack is unique with many factors to consider, making the decision to pay or not pay a daunting task.

This article will explore the ethical dilemma, factors to consider, alternatives and preventive measures to mitigate the effects of a ransomware attack. We intend to present the facts, information and strategies to help you respond swiftly when making these decisions.

The Ethical Dilemma: To Pay or Not to Pay?

Chainalysis 2023 research revealed that ransomware payment in 2022 dropped by over 40% from the previous year.. Although this shows remarkable growth in the cybersecurity strategy, it does no mean ransomware attacks are in the past. Similarly, it doesn’t eliminate the debate about whether to pay a ransom or to decline, and face the consequences.

Many experts argue that paying the ransom only helps to continue the cycle.

Etay Maor, an adjunct professor at Boston College, says, “It’s an enormous mistake to think that paying ransomware demands will solve anything. The initial payment is only for the start of things”

Similarly, security agencies advise against paying ransom to attackers, claiming it’s often used to fund terrorist groups. Recently, countries like the United States of America and Australia have considered banning ransomware payments. Some experts have warned that this approach doesn’t solve the problem and suggested other options. Unfortunately, these don’t highlight the many of the determining factors that guide these decisions.

The decision to pay or not, depends on factors such as data relevance, cost of paying ransom vs not paying, and ethical standing, amongst others. We further explore these factors in the next section.

Considerations Before Making a Decision

Regardless of your category, paying a ransom to cyberattacks requires careful consideration. Stakeholders must consider the severity of the attack, and the legal and financial implications of paying a ransom.

Assessing the Severity of the Attack

Immediately after you receive a ransomware payment notification, the first step is to conduct an audit. A forensic and in-depth analysis of the depth of the threat will help guide your decision. Some questions to ask include

Is the threat real?

There have been cases where threat actors initiated a fake ransomware attack without directly affecting the company’s network. Make sure to run a complete system analysis to identify any malicious code before starting a negotiation.

What happens if you pay?

Most ransomware attacks work on the double extortion principle. Paying one fee will trigger more requests. It’s essential to consider the attacker’s history and methods.

What happens if you don’t pay?

If non-essential information has been encrypted with threats of exposure, you may suffer fewer losses if you refuse to pay. However, if it is personal identifiable data (PII), you may face class action lawsuits if the data ends up on the dark web.

What is the impact on Business Operations?

How does it affect the business if you decide to pay or not? Can the business function without the encrypted file, or can you restore a temporary backup for essential information? These are important questions to consider when making your decision and having adequate backups and a data retention policy will help make a more informed decision on the impact to business operations, and next steps.

Data Sensitivity and Privacy

Core data is essential for systems architecture functions, personal data, and more holds high importance to business. If the encrypted data falls into these categories, you might have to settle like Colonial Pipeline.

Legal and Regulatory Factors

In some jurisdictions, paying cyberattackers to restore data after a ransomware attack is illegal as it attracts varying degrees of sanctions. It is essential to consider your business liability from a legal angle when making a decision. The FBI states categorically that they do not support paying cyberattackers. It is strongly advised that you consult a professional firm to access the incident and determine the post-breach remediation services to guide you. Lastly, you should consider the legal issues of refusing to pay the ransom. If your customer’s data is exposed, you may be liable to certain sanctions and lawsuits. There have also been cases where customers sue businesses post ransomware attack which can result in out-of-court payments of up to $63,000,000, which causes deeper financial strain.

Financial Implications

On 7 May 2019, the City of Baltimore in Maryland was hit by a ransomware attack which affected their online services. The attackers shut down many of the city’s servers and demanded a 13 bitcoin ($100,000) ransom. Instead of settling, the City of Baltimore invested over $18 million to rebuild its infrastructure. In another ransomware attack on New Orleans city officials, officials initiated a complete system shutdown. Subsequently, they embarked on a process to recover their data without paying the ransom. The decision cost them roughly $7.2 million, with their cybersecurity insurance of about $3 million, came in handy. In most cases, companies do not have the luxury of high insurance coverage, and the cost of not settling will outweigh the latter. Therefore, it is important to consider the financial strength and support, and measuring those against the demands before deciding.

Alternatives to Paying Ransom

There are alternatives companies can consider before paying ransomware demands.

  • Restore data from isolated backups created before the attack. This can help mitigate downtown and keep you operational.
  • Try to decrypt the encrypted data using tools created by cybersecurity firms.
  • Hire a cybersecurity expert firm specializing in ransomware attacks to help decrypt your data.

Partner with CyberClan To Create a Cybersecurity Plan

Ransomware attacks often come without warning signs. The devastating results leave businesses battling financial, reputational and legal damages. However, you can prepare by creating an Incident response and post-remediation plan. This approach ensures you can navigate the challenge with minimal losses and damages. At CyberClan, we create personalized incident response and post-breach remediation plans to help you navigate ransomware attacks. Contact us today to secure your business and mitigate cyberattacks with professional cybersecurity measures.

Under Attack? Guaranteed 15 minute response time.

Please call our emergency hotline below or fill out the form with your name, email, and phone number.


1 800 762 3290


0800 368 8731



The information you provide in this form is only used exclusively to assist you. We do not share your data.