HD Doctor Logo

Pay Ransomware or Not: 7 Criteria Before Deciding

Direct answer

Paying ransomware is a critical decision mixing technical, legal, ethical and financial. In 2026 the technical recommendation is increasingly clear: in most cases NO. But there are specific scenarios where the analysis changes. This article presents 7 objective criteria.

Why the general recommendation is DO NOT pay

Five technical and legal reasons: (1) variants like BlackCat exit-scammed after receiving payment β€” delivered invalid key; (2) OFAC sanctions criminalize payment to sanctioned groups (LockBit, Conti, BlackMatter); (3) cyber insurance 2024+ denies coverage for sanctioned variants; (4) paying funds future attacks and marks the company as payer (list passed between operators); (5) payment doesn't guarantee non-leak β€” Maximus, Shell, PwC cases had data published even after paying.

7 objective criteria before considering paying

  1. 1.
    Check OFAC status of the variant. LockBit, Conti, BlackCat, EvilCorp are sanctioned. Paying = federal crime in US and compliance violation in many countries. Check beforehand.
  2. 2.
    Assess clean backup availability. Intact immutable backup = no technical justification to pay. Restore is cheaper and more predictable.
  3. 3.
    Calculate real downtime cost. Per hour down Γ— estimated recovery hours. Compare with demanded amount. In many cases restore is more expensive than paying, but more ethical/legal.
  4. 4.
    Try public decryptor first. Operation Cronos (LockBit), Avast (older Akira), Kaspersky (Conti V3), FBI (partial BlackCat). Attempt before paying is mandatory.
  5. 5.
    Demand proof of decryption. Operator must decrypt 1 test file before any financial move. Without this proof, payment is lottery.
  6. 6.
    Involve cyber insurance BEFORE negotiating. Unauthorized negotiation may void coverage. Some insurers have own negotiators or authorized partners.
  7. 7.
    Calculate reputational impact. Paying may leak (e.g., Chainalysis reports track wallets). Paying client is recurrent target in next 12-24 months.

FAQ

How much does a typical ransom cost?

Widely variable. SMB (up to 100 employees): US$ 50K-500K. Mid-size: US$ 500K-5M. Large corp: US$ 5M-50M+. Public records: Change Healthcare US$ 22M (2024), Colonial Pipeline US$ 4.4M (2021).

Can I negotiate to reduce the amount?

Yes, typically 30-60% discount via specialized negotiators. But even reduced amount carries all legal risks.

What if I pay but don't get the key?

It happens. Documented BlackCat post-exit-scam 2024 cases. Legal recourse is practically null β€” you paid anonymous criminal via crypto.

Is there cyber insurance covering ransomware?

Yes, but with growing exclusion clauses. Check policy BEFORE incident. After incident, notifying insurance in first hours is mandatory to keep coverage.

What to do if we decide to pay?

1) Confirm via legal/compliance that variant is not OFAC-sanctioned. 2) Involve insurance. 3) Use professional negotiator (Coveware, GroupSense, Arete). 4) Demand test file decryption. 5) Pay in escrow if possible. 6) Continue parallel restoration with backup, public decryptor is always tried first.

Payment decision pending? Free technical analysis.

Restore viability analysis + public decryptor attempt before any payment decision.

Next reads