KapacyberKapacyber
Incident Response 10 min read

Should We Pay the Ransom? An Honest Decision Framework for SMB Owners

The honest decision framework. Most ransomware-response guides skirt this question or default to “never pay.” The reality is more complicated. Here's what to actually think about — and the legal exposures most owners don't know exist.

Get Emergency Help Now

Why this article exists

Almost every cybersecurity vendor will tell you “never pay the ransom.” That's the correct default position — but it's often delivered without the context an owner facing the decision actually needs. The reality is that the payment question is rarely binary. It's a multi-factor decision involving your legal exposure, your insurance coverage, your recovery options, your willingness to absorb downtime, and the specific attacker you're dealing with.

This article is what we'd want a small-business owner to know before they make the call — honest, including the parts other vendors skip.

The four factors that actually matter

1. Will paying actually restore your data?

Recovery rates from paid ransoms cluster around 60–70% by most industry reports. Of those that “recover,” many find the data is partially corrupted, missing recent versions, or takes longer to restore from the decryption tool than from backup anyway. Some attackers provide a working decryption tool but exfiltrate the data separately and extort you a second time. Others vanish after payment.

Before considering payment, your incident response team should attempt to identify the ransomware variant. Some variants have known decryption tools (free, via No More Ransom or law enforcement). Some attacker groups have a reputation for honouring payments; others don't. This isn't guesswork — it's threat intelligence your IR firm should have.

2. Do you have viable recovery without payment?

The decision frame should be: what does recovery look like without paying, and what does it cost in dollars and downtime?

  • Backups that work: If you have offsite, immutable, tested backups, recovery without payment is usually faster than decryption-from-ransom. This is the single largest predictor of which businesses pay.
  • Backups that don't work: Untested backups, backups on the same network the ransomware reached, backups with insufficient retention — all common. If your “backups” can't be restored cleanly, payment becomes more tempting.
  • Rebuild from scratch: Some operations can be rebuilt without backups (re-keying customer relationships, re-creating documents from email and SharePoint history, accepting selective data loss). Slow and painful, but sometimes the right answer.

3. What are your legal exposures?

This is the section most ransom-payment discussions skip. Three separate legal exposures attach to the payment decision:

  1. OFAC sanctions liability.The U.S. Treasury's Office of Foreign Assets Control (OFAC) prohibits payments to sanctioned entities, including several known ransomware groups (notably some operating out of Russia, North Korea, and Iran). Paying a sanctioned actor is a strict-liability offense — meaning “we didn't know” isn't a defense. Penalties can be civil ($300k+/violation) or criminal.
  2. Securities and regulatory disclosure.Public companies and some regulated industries must disclose material cyber incidents within set timeframes. Payment doesn't change the disclosure obligation but may affect timing and content.
  3. Tax treatment. Whether the ransom payment is deductible (it often is, as an ordinary business expense) and whether the loss qualifies as a casualty loss varies by jurisdiction. Your CPA needs to know.

Your attorney and IR firm should screen any proposed payment against OFAC's SDN list and known sanctioned ransomware groups before the wire goes out.

4. What does your insurance cover?

A serious cyber-insurance policy typically covers:

  • Ransom payments (with caveats around OFAC screening, often a sub-limit, and almost always requiring carrier pre-approval).
  • Forensic investigation and incident response costs.
  • Business interruption losses.
  • Data restoration and rebuild costs.
  • Notification, credit monitoring, and PR support.
  • Legal defense and regulatory fines (where insurable).

If you have coverage, call the carrier before the IR firm. The carrier's panel of pre-approved IR firms, attorneys, and negotiators will likely be cheaper for you and covered by the policy. Engaging your own team outside the panel often voids coverage.

If you don't have coverage, the ransom payment plus the rest of the costs comes out of operating cash. The median “total cost of a ransomware incident” for SMBs has run well into six figures in recent industry reporting — before any ransom.

The non-negotiable rules

  1. Don't communicate with the attacker directly. Every word they read from you teaches them how to extort better. Use a professional ransomware negotiator (typically engaged through the IR firm).
  2. Don't pay before OFAC screening. Strict-liability exposure.
  3. Don't pay before you've tried recovery. Sometimes a backup that was thought broken can be restored with effort. Sometimes a decryption tool is publicly available.
  4. Don't pay without legal counsel involved. This is not the moment to save lawyer fees.
  5. Don't announce the payment. Marketing recovery as a happy ending invites the next attack.

When paying is the least-bad option

There are scenarios where, after working through the framework above, payment is the least-bad path. Honesty matters here:

  • Critical operational data exists nowhere else and rebuilding is genuinely impossible (rare, but real for some businesses).
  • Regulated patient or client data is being threatened with public release and the data exposure cost exceeds the ransom and the legal/sanctions risk.
  • Business survival depends on returning to operation within a window shorter than recovery would take.
  • The attacker is verified not on the OFAC sanctions list, the IR firm has reasonable confidence the decryptor will work, and the insurance carrier has approved.

Even then, paying should be a last resort — not a first response to remove the inconvenience.

The honest prevention math

The median small business that pays a ransom didn't have tested offsite backups. The investment to fix that is dramatically cheaper than the ransom decision — sometimes by an order of magnitude. Our managed-security plans include immutable backup operation and quarterly restoration testing because the alternative is the conversation this article describes.

A practical position

The right time to think about ransom payment isn't during an incident — it's today. Get cyber insurance with explicit ransom-payment coverage. Get tested backups. Get an IR firm on retainer or named in your incident plan. Then if it happens, the team is in place and you're not making a six-figure decision under panic.

Active incident? Get help now.

We assist with containment, triage, and coordination with your cyber-insurance carrier. Submit the intake and we'll be on a call within an hour.

Submit emergency intake

Keep Reading

Incident Response5 min read

We Got Hacked: A Step-by-Step Guide to What You Should Do in the First 24 Hours

Read More
Incident Response · Insurance9 min read

Cyber Insurance Claim Process: How to File and Maximise Your Payout

Read More
Incident Response · Compliance10 min read

Breach Notification: What to Tell Clients, Regulators & Staff (SMB Guide)

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More