View All R&D Articles

Should You Pay a Ransomware Attack? 

April 14, 2023

Ransomware continues to disrupt public organizations, businesses, and private computer users, and the trend isn’t showing signs of stopping. Over the past several years, malicious actors have attacked thousands of targets, and by one estimate, ransomware was involved in 25% of all data breaches in 2022.

Most ransomware variants work by encrypting data after infiltrating a system through one or more attack vectors. Common vectors include email phishing campaigns and exploitation of vulnerabilities in software.

When data is encrypted, the victim is presented with a message: Pay the ransom with cryptocurrency or face permanent data loss.

While ransomware is a serious threat, we strongly discourage paying for ransomware attacks. Here’s why.

In many instances, paying for ransomware is illegal.

Many ransomware attacks are performed by groups based in North Korea, Russia, or Iran — countries that are under sanctions. According to the U.S. Office of Foreign Assets Control (OFAC), paying for ransomware may violate those sanctions.

OFAC can assess civil penalties for organizations that pay bad actors in sanctioned countries. Fines are often issued publicly — which certainly isn’t ideal for publicly traded organizations.

While some attackers are not based in sanctioned countries, victims rarely have the information they need to make a knowledgeable decision; most attackers won’t proudly declare their identities. And according to OFAC, the victim may be subject to fines regardless of whether they know their attacker’s identity.

Related: Paying a Ransomware Ransom Is (Usually) Illegal

Paying for ransomware does not guarantee decryption.

It’s true that most ransomware attackers will provide decryption keys when receiving payment. However, that’s not always the case; once the attacker has your funds, they have no reason to restore your data (other than improving the success rate of future attacks).

Many attackers also engage in “double extortion,” in which they retain stolen data after providing the necessary tools for decryption. The attackers can then resell the data on the dark web or provide it to other bad actors, heightening the potential for future attacks.

Related: Ransomware Attack Data Recovery: 4 Factors to Consider

Many ransomware variants can be decrypted without payment.

While some ransomware variants are remarkably sophisticated, others have known vulnerabilities. 

For example, LockBit, a popular ransomware-as-a-service (RaaS) tool, has known vulnerabilities identified by Our research and development department works to find solutions for new variants as they spread — and in most cases, ransomware infections can be mitigated. 

Data recovery is likely, though the chances of recovery depend on the construction of the variant, the nature of the data, and numerous other factors. 

Related: Ransomware Investigation Services

Work with the industry’s leading ransomware recovery experts.

Ultimately, paying for ransomware doesn’t make sense. Setting aside the potential legal issues, the goal of disaster recovery is to restore the infected system as quickly and completely as possible. Paying the ransom does not mitigate future attacks or provide any guarantee for data restoration. 

If you’ve encountered data loss due to a ransomware infection, we’re here to help. operates four full-service laboratories, and our engineers can help you secure key systems while restoring data to an operable state.

To get started, call 1-800-237-4200 to speak with an expert or set up a case online.