It's two in the morning and every screen in your organization shows the same message: your files have been encrypted, pay within 72 hours or your data will be published. The pressure is immense. Customers can't be served, employees are at a standstill, and someone in the emergency meeting asks: "Can't we just pay?"
The temptation to pay is understandable. It promises a quick exit from a situation that costs money every minute. But the reality is more complex — and often more painful — than attackers want you to believe.
The core question isn't just whether paying is morally right. The question is whether paying actually works. And there's now enough evidence to give a well-founded answer.
Key Takeaways
Only 8% of organizations that pay a ransom recover all their data completely (Huntress, 2026).
69% of payers are attacked again within months — paying makes you a repeat target (Huntress, 2026).
Organizations with an isolated, tested backup never have to make this choice.
What actually happens when you pay
What the data says about data recovery
Ransomware attackers run criminal enterprises. They build reputations so that victims trust that paying will actually lead to decryption. In many cases you do receive a decryption key — but that rarely solves the problem completely.
Research cited by Huntress, based on Mastercard's SMB Cybersecurity Study 2025, shows that nearly one in five SMBs that experienced a cyberattack went bankrupt or closed — including those that paid. Payment doesn't eliminate the damage: downtime, recovery costs, reputational harm, and forensic investigation costs remain.
Moreover, decryption after payment is often technically slow and incomplete. Encrypted files are not always fully restored, file structures can be corrupted, and restarting systems from an encrypted state rarely takes less time than restoring from a clean backup.
According to research compiled by TechTarget, only 8% of organizations get all their data back fully after paying a ransom. The rest miss files, receive corrupted data back, or find that the decryption key doesn't work completely. Meanwhile, the average ransomware incident costs over $4 million in total damage even including the ransom payment (source: IBM Cost of a Data Breach Report 2025).
The assumption that paying equals "problem solved" is one of the most dangerous misconceptions in cybersecurity.
Why paying makes you a repeat target
The alternative: restoring from backup
There's another reason not to pay that rarely gets attention: paying sends a signal. Criminals share information about who pays. Organizations that transfer ransom payments get flagged as willing payers — which makes them more attractive for the next attack.
According to Huntress, 69% of businesses that paid a ransom were attacked again within a short period. Not years later — often within months. The logic is straightforward: if someone has paid before, they'll probably pay again.
This means paying not only fails to solve the current attack, but actively contributes to the risk of a future one. You're investing in your own vulnerability.
Organizations that have an isolated, immutable backup — a copy that attackers couldn't reach or encrypt — are in a fundamentally different position. They don't have to weigh the options. They can recover without paying, without negotiating, and without depending on a criminal who may not keep their promise.
This isn't theoretical. Sophos data shows that organizations with working backups significantly more often recover without paying ransom — and their recovery costs are substantially lower. Learn more about what such a backup looks like on our Ransomware Protection page.
When is paying the only option left?
There are situations where organizations feel they have no choice. When no working backup is available, when the backup has also been encrypted, or when data is critical for immediate human welfare — think hospitals — payment can seem like the only way out.
In those cases, the advice from governments in the Netherlands, the EU, and the US is consistent: payment is strongly discouraged but not prohibited for private organizations. The Dutch Digital Trust Center advises always filing a police report and contacting the NCSC before any payment decision is made.
Paying without reporting increases the chance that the same group can attack others. Filing a report costs nothing and can contribute to identifying the group.
Step-by-step: what to do immediately after a ransomware attack
Immediately isolate all affected systems from the network — disable WiFi, unplug network cables.0
Do not change passwords or restart systems — this can destroy forensic evidence.
Contact your national cybersecurity authority
File a police report.
Determine which backups are available and whether they are clean (not infected).
Engage a specialized incident response firm before making any payment decisions.
Pay only — if at all — after legal and technical advice.
What does the law say about paying ransom?
NIS2 and ransomware: what must affected organizations do?
Organizations subject to the NIS2 directive — and in the Netherlands that is more than many executives realize — have concrete obligations when hit by ransomware. They must report the incident to the relevant supervisory authority, document the impact, and demonstrate that recovery measures have been taken.
Paying without reporting is not an option for NIS2-obligated organizations. The European Commission has made clear that incident reporting is a core obligation under the directive. More information on NIS2: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
How to ensure you never face this choice
The honest message is that facing the question "pay or not" is a sign that preparation fell short. Organizations that invest in a robust backup strategy never have to answer this question.
An effective ransomware backup has three properties. First, it is isolated: not reachable from the production network, so attackers cannot encrypt it. Second, it is immutable: the backup cannot be changed or deleted after writing, even by administrators. Third, it is tested: the recovery process has been periodically executed and the recovery time is known.
Organizations that meet these three criteria rarely pay ransom. They recover — and they do so faster than the average negotiation period of 8 to 10 days in a ransomware payment scenario (source: Cigent — Ransomware Recovery Time). Visit our Backup as a Service page to learn more about what such a solution looks like.
Conclusion
The question "should I pay?" has a simple answer if you know the data: paying rarely works, makes you more vulnerable to repeat attacks, and doesn't fix the underlying damage. The real answer to ransomware isn't a payment decision — it's a backup decision you make long before an attack happens.
Organizations with an isolated, tested backup are in a fundamentally stronger position after an attack. They can recover. They don't have to pay. And they don't need to hold a 2 a.m. meeting about a choice that was already made for them.
If you want to know where your organization stands today, a good starting point is to determine which backups are available, when they were last tested, and whether they are unreachable to attackers.