View All R&D Articles

Should You Pay For Ransomware? Never — Here’s Why.

April 10, 2024

Ransomware payments reached an estimated $1.1 billion in 2023, per a report from crypto-tracing firm Chainalysis. It’s no wonder that ransomware is a growing threat — and from the victims’ perspective, the temptation to pay is certainly understandable.

But there’s a reason that CISA recommends against paying for ransomware; in fact, there are quite a few reasons. Here’s how ransomware payments put organizations at risk while compelling bad actors to keep attacking targets — and what to do instead. provides an array of expert ransomware recovery resources, including dark web monitoring, data recovery, and penetration (PEN) testing. To learn more, call 1-800-237-4200 or schedule a risk-free evaluation online.

Before paying for ransomware, remember:

1. Paying for ransomware may be illegal.

Ransomware is extortion, and extortion is always illegal for bad actors — but in some cases, victims who pay might also find themselves in legal trouble.

The U.S. Office of Foreign Assets Control (OFAC) notes that payments are illegal when the attacker is a malicious foreign actor on the OFAC Specially Designated Nationals and Blocked Persons List (SDN List) or other relevant lists of blocked persons.

Paying individuals living in sanctioned countries (such as Russia, Cuba, or Iran) or specifically listed organizations may violate the Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA). And since most cybercriminals are based in sanctioned countries, that’s a serious concern — paying a ransom could result in fines, and at the very least, many payments must be reported to federal authorities.

Related: Paying a Ransomware Ransom Is (Usually) Illegal

2. Paying for ransomware doesn’t guarantee that you’ll get your data back.

One 2023 study found that among organizations that had opted to pay ransoms, 25% of victims did not recover their data after submitting payments. 

That doesn’t necessarily mean that attackers failed to provide decryption tools — but those tools may not work. Cybercriminals have strong incentives to create effective malware, but they may not spend as much time on decryption tools.

And many ransomware attacks target files that can be compromised by relatively small amounts of corruption. If decryption tools don’t work, victims are out of luck; the cyberattackers aren’t known for their hands-on support.

It’s worth noting that free decryptors are available for certain ransomware variants. Those tools are safe to use, though we recommend working with data recovery professionals to minimize the chances of permanent data loss.

Related: Ransomware Attack Data Recovery: 4 Factors to Consider

3. Paying for ransomware incentivizes cybercrime. 

While there are plenty of practical reasons to refuse payment, the ethical argument is also fairly persuasive: If everyone pays the criminals, extortion will continue to skyrocket.

About 75% of organizations were hit by ransomware in 2023 according to one survey. Cybercrime is a multi-billion dollar industry, and ransomware groups have broadened their focus; over the past year, major healthcare systems, public schools, and utilities have faced major attacks. 

Don’t submit to extortion: Choose a ransomware recovery strategy that doesn’t reward cybercriminals.

Some ransomware variants are essentially uncrackable; they use modern encryption methods that can’t be easily overwhelmed via brute force attacks or other tactics. 

But there’s some good news: Most cybercriminals are fairly sloppy. By identifying attack vectors and researching the methods used for infiltration, security experts can often find solutions (that don’t involve payments). 

We recommend planning your ransomware response as early as possible. CISA advises organizations to:

  • Maintain offline, encrypted backups of critical data. These backups should have multiple restore points (“golden backups” that are kept offline and less prone to infection). Backup strategies should also consider the long dormancy periods of some ransomware variants.
  • Create, maintain and exercise a basic cyber incident response plan. Plans should include notification procedures for data extortion and breach incidents.
  • Implement a zero-trust architecture with robust, granular access control enforcement. can help your enterprise develop a ransomware preparedness strategy — or recover from an attack while minimizing data loss. To learn more, call 1-800-237-4200 and speak with a ransomware specialist.