written by DARREN COLEMAN posted on August 23, 2022

Should Ransomware Victims Pay The Ransom?

Is it worth paying the ransom when you get infected with ransomware? That’s for you to decide—but consider the points we lay out below. It feels like a few days go by without another ransomware story in the news.

What used to be just one threat present in the cybercrime landscape has now become the clearest and present danger to modern businesses. Don’t assume we’re exaggerating this for effect—experts estimate that a ransomware attack occurred every 11 seconds in 2021. It’s almost certain that you will be attacked with ransomware at some point and possibly even infected.

ransomware victims pay

What’s The Reality Of Ransomware in 2022?

According to Sophos’ annual State Of Ransomware Report, this popular weapon in use by cybercriminals around the world is only becoming more common:

  • 66% of organizations were hit by ransomware in the last year
  • 65% of attacks resulted in encrypted data
  • 72% experienced an increase in cyber-attacks and related damages

For all these reasons, you can’t assume you’ll never be infected by ransomware. You have to have a plan in place for how you would deal with an attack.

Case in point: should you pay the ransom?

Should You Pay The Ransom?

Experts and authorities say you should not pay the ransom for several reasons…

You May Never Get The Decryption Key

You’re supposed to get a decryption key when you pay a ransomware demand. However, it’s important to remember that in doing so, you’ll be relying on the integrity of criminals.

Many people and organizations have paid the ransom only to receive nothing in return—they’re then out tens or hundreds or thousands of dollars and still have to rebuild their systems from scratch.

While you are at the mercy of criminals, the fact is that you’re very likely to end up losing money without getting your data back.

The Chances Of A Repeat Ransomware Attack Go Up

Don’t overlook that once the criminals know you’re willing to pay, they may demand even more money. If you don’t have the money or refuse to pay, they may delete your files or release them publicly.

Furthermore, they may continue to encrypt your files and hold them for ransom indefinitely. So, even if you pay a ransom, you’re not out of the woods yet. Even if everything goes right and you get the decryption key, the cybercriminals may come back a few months later and start the process again.

You’re Funding Criminal Activity

When it comes to ransomware, the best-case scenario is the worst-case scenario. Paying the ransom may seem easy to regain access to your critical data and resume normal business operations. Still, it only reinforces a dangerous business model that fuels criminal activity.

Because ransomware is often profitable for cybercriminals, they will continue to launch new and more sophisticated attacks to entice victims into paying. By taking this approach, they can stay one step ahead of efforts by government agencies and law enforcement organizations to stop them.

Therefore, if you pay the ransom, you effectively enable these criminals and encourage their bad behavior. However, if businesses band together and refuse to give in to extortion tactics, we can help disrupt this problematic cycle of digital exploitation.

Defending Against Ransomware Means Understanding Ransomware

All of this shows why you probably shouldn’t consider paying the ransom. It’s ultimately your choice, but the cons vastly outweigh the pros.

That’s why you should have a well-developed ransomware defense and response plan in place. That begins with understanding how it works.

In a ransomware attack, an unsuspecting user clicks on a seemingly safe link or an emailed attachment that appears to be a bill or other official document.

Unfortunately for the user, that link/attachment isn’t safe. The user compromises their credentials by clicking it, giving the cybercriminals the login information they need to access the company’s network.

The cybercriminal can then remotely access the target’s IT environment, gain remote control over the user’s computer, and gather intelligence to determine the ideal place and time to attack and infect the systems with ransomware.

How Does Ransomware Infect Your Systems?

There are five primary ways that hackers trick targets into downloading ransomware:


Phishing is a hacking technique that “fishes” for victims by sending them deceptive emails. Phishing attacks are often mass emails that include ransomware as an attachment.


Hackers have found vulnerabilities in many popular, modern browsers like Google Chrome and Mozilla Firefox. They spam users with official-looking pop-ups informing them of an “infection” or “security alert” prompting them to download a file or click a link. That’s where ransomware comes into play. As with so many of these methods, it just comes down to getting the user to interact with malware in some way without knowing it.

Remote Desktop Protocol

RDP is a known infiltration point for cybercriminals, especially for unpatched systems.

3rd-Party Remote

Many cybercriminals are attacking third-party remote-control tools as they know that once they can gain access to a remote control tool, they will have access to several machines that can be infected.

Out Of Date Hardware

Many of the most common malware and viruses used by cybercriminals today are based on exploiting those programming flaws; to address this, developers regularly release software patches and updates to fix those flaws and protect the users.

The Threat Of Ransomware Is Evolving

A few years ago, ransomware wasn’t a big concern.

While high-profile incidents like the WannaCry attack on the NHS were concerning, they were far and few between. If you had a recent backup of your data in place, you could rely on that to replace your data in the event it was encrypted by ransomware.

Since then, however, the way cybercriminals use ransomware has evolved. They have improved their tactics and capabilities, allowing them to do much more damage, and demand much more money. Characteristics of modern ransomware attacks include:

Expanded Timelines

Sophisticated attackers sneak ransomware into a breached network and then lay dormant for weeks or months, ensuring their entry method isn’t discovered immediately.

This gives them time to embed themselves, steal data, and more, all before they activate the ransomware and infect the systems.

Without undertaking extensive forensic processes, an infected business won’t know how far back they need to go to back up their systems. Or, even worse, it will be so far back that they’ve already expunged those backups to make room for more recent versions.

Improved Capabilities

Modern forms of ransomware can even target and infect backup hard drives and cloud-based data if the connections are left unsecured. That’s why cybersecurity professionals are now recommending digitally-air-gapped backups as well.

Given the effectiveness of modern ransomware attacks, defensive methods and best practices from just a few years ago are already losing feasibility. All of this is to say that you can’t assume you won’t be infected at some point.

No matter how strong your defensive capabilities are, ransomware may still get through. That’s why you must plan how to respond to an attack.

What Would Happen If You Were Infected With Ransomware Right Now?

Do you have a plan? Are your system endpoints protected? Are your backups recent, tested, and viable?

It’s easy to assume that you won’t be anytime soon just because you haven’t been hit by ransomware yet. You may think you can put off investing in an effective business continuity plan, but you may get hit without warning.

Don’t assume you’re safe. Take the time to ensure you are, or you may have to pay a ransom.

How To Respond To An Attack

  • Take a photo of the ransom note to ensure you have all the details.
  • Disconnect the infected computer from your network to prevent further infection of other systems.
  • Once the computer has been removed from the network, power down the machine to prevent additional damage.
  • Disconnect storage devices (USB or external hard drives).
  • Isolate and verify your backups right away.
  • Disconnect the machine from any shared drives.
  • Inform your staff of the attack.
  • Contact your cybersecurity professionals—restoring backed-up data and limiting the continued spread of ransomware is a complicated process.
  • Get in touch with your insurance company, local authorities, or the Canadian Centre for Cyber Security.

How To Maintain Continuity

  • Eliminate the ransomware infection from the isolated systems and machines.
  • Using your backups, restore any lost data.
  • If you lack a good backup, inquire with your cybersecurity team or check online for a decryption tool.
  • Pay the ransom if you have no other choice. Keep the following in mind:
    • Paying the ransom can incentivize the cybercriminals to attack you again, which is why the authorities recommend against doing so.
    • Paying the ransom does not guarantee your data will be decrypted.
    • Paying the ransom may violate regulations and result in additional fines.

How To Prevent A Follow-Up Attack

  • Assess the attack and determine how your systems were infected.
  • Remediate any identified vulnerabilities.
  • Ensure your employees know how the attack was executed and how to respond to a threat next time.
  • Implement subsequent cybersecurity awareness training for your entire staff.
  • Deploy an endpoint security solution in addition to your firewall and antivirus solutions.
  • Make sure your systems are kept up to date.
  • Write and follow a business continuity and disaster recovery plan to detail how backups are maintained and tested.

What Is The Real Cost of Ransomware?


This is the most obvious cost, and it just keeps going up. Sophos states 3x as many victims paid ransoms of $1M or more last year. This is up from 4% in 2020 to 11% in 2021. According to Datto, the average ransom requested by hackers is increasing. IT companies report the average requested ransom for SMBs is ~$5,900, up 37%, year-over-year.


As Kaspersky notes, 34% of businesses hit by ransomware take up to a week to regain access to data. In that week, you’re still incurring costs associated with downtime while you and your staff can’t access your data.

That’s a time in which you can’t get work done, can’t serve your clients, can’t gain new business, and still pay your employee wages and ongoing costs to keep the lights on.

Put simply? Lots of expenses with no revenue. 90% of respondents in Sophos’ report said that ransomware affected their ability to operate, and 86% said it cost them money.


Lastly, there’s the cost of damage control. Do you have to hire an IT company to help you out? Do you have to hire a forensic cybersecurity crew to determine how you were attacked? Do you have to pay fines for breaching regulations?

These all get added to the bill for getting hit by ransomware. Just think briefly about what it would be like if you couldn’t access your data. Technology is such a crucial part of business today that you can’t do much of anything without it.

Sophos found that it cost $1.8M to recover from a ransomware attack. The recovery process took up to a month to complete for many infected businesses.

Why Does Ransomware Work?

This may seem like an odd question, but it’s important to consider—if ransomware attacks are this common and generally work the same way every time, why haven’t they become less effective? Because businesses like yours keep letting it happen.

Despite the countless examples of ransomware’s dangers, very few businesses are taking the necessary steps to protect themselves.

According to Datto, 89% of MSPs are “very concerned” about the ransomware threat, and 28% report their SMB clients to feel the same. This lack of concern among businesses makes them such perfect targets for cybercriminals.

What’s The Best Way To Protect Yourself Against Ransomware?

What can you do when you’re unsure if you have the skills or knowledge to get the job done? Consult with cybersecurity professionals like those on the Coleman Technologies team.

The cybersecurity professional’s job is to manage your cybersecurity, simple as that.

Instead of needing an employee or internal team to keep your tech and data secure, you let someone else with the skills and knowledge do it for you:

  • Cybersecurity professionals perform regular vulnerability testing per industry standards to ensure you aren’t dealing with overlooked cybersecurity weaknesses.
  • Cybersecurity professionals help you plan and achieve a secure environment to work in.
  • Cybersecurity professionals provide ongoing service and support for any security-related concerns you may have.

The Good News: Ransomware Defenses Are Becoming More Effective

Don’t worry. It’s not all bad news. Sophos notes that many businesses are becoming more adept at recovering from ransomware attacks.

99% of organizations hit by ransomware in 2021 recovered some encrypted data after the fact.

Between backups and ransom payments, 44% of the organizations considered in Sophis’ study employed various methods to restore their data.

However, don’t assume that paying the ransom will necessarily get your data back—companies that paid received only 61% of their data on average.

Need Expert Assistance With Your Ransomware Defense?

What can you do when you’re unsure if you have the skills or knowledge to get the job done? Consult with cybersecurity professionals like those on the Coleman Technologies team.

Our job is to manage your cybersecurity, simple as that. Instead of needing an employee or internal team to keep your tech and data secure, you let our team do it for you.

Get in touch with our team to start your ransomware defense today.

Watch The Latest Tech Videos From Coleman

Subscribe To Our YouTube Channel

Everything you need to know to protect yourself from Phishing!

Technology Spotlight – The Ransomware Threat