Blog

Ransomware: What Actually Happens When You Pay

When ransomware locks up your systems and your backups have been hit too, paying the demand can start to look like the only way out. Staff are sitting idle, customers are calling, and every hour costs money.

Before you transfer a penny, it’s worth knowing what payment actually buys you. Stay until the end to discover the steps that mean you’ll never have to make that call in the first place.

The Data You Get Back Is Often a Mess

The first myth to break is that paying gets you a clean recovery. It doesn’t. Even when criminals hand over a decryption key, the tool they provide is usually slow and clumsy, and it frequently fails on large or complex file sets. Plenty of firms pay and still spend weeks rebuilding from partial data.

There’s also no guarantee you’ll get anything at all. You’re trusting a criminal to keep their word, and some take the money and vanish. Others decrypt some files but quietly keep a copy of your data to extort you again later. The UK’s National Cyber Security Centre is clear that payment doesn’t guarantee recovery and doesn’t remove the threat.

Paying also marks you out. Once you’ve shown you’ll hand over cash, your details get passed around criminal networks as a soft target. Research from Cybereason found that around 80% of organisations that paid a ransom were hit again, sometimes by the same group using access they never gave up. On average, victims who pay recover only around 61% of their data, and just 4% get all of it back.

The Legal and Insurance Picture Is Murkier Than You Think

A lot of business owners assume their cyber insurance will simply cover the ransom. UK cyber policies often still cover ransom payments in principle, but they sit behind sub-limits, sanctions exclusions, pre-approval clauses and strict conditions on things like MFA, patching cadence and tested backups.

Around 30% of cyber claims end up rejected or only partly paid, often because the controls the policyholder said were in place turn out not to be. Read the small print before an incident, not during one. Gaps like this are exactly what specialist IT security services in the UK tend to surface during a resilience review, ideally long before an attacker forces the question.

Then there’s the law. The NCSC, the ICO and UK law enforcement all advise strongly against paying, and in 2025 the government went further by proposing a ban on ransom payments by public sector bodies and critical national infrastructure, including the NHS, local councils and schools. If the group behind the attack is linked to a sanctioned entity, making a payment could breach UK financial sanctions and land you in serious legal trouble, even if you didn’t know who you were paying.

The ethical side matters too. Every ransom funds the next attack, pays for better tools, and keeps these groups in business. You solve your immediate problem and make the next firm’s problem worse.

How to Avoid the Decision Altogether

The best position to be in is one where paying never crosses your mind, because you can simply restore and carry on. That comes down to preparation, and a few things make the biggest difference:

  • Offline and immutable backups that ransomware can’t reach or overwrite, tested regularly so you know they actually restore
  • Network segmentation so an infection in one area can’t spread freely across your whole estate
  • A written incident response plan that names who does what, so nobody is improvising under pressure
  • Regular staff awareness training, since around 7 in 10 ransomware incidents still start with a phishing email

None of this is glamorous, but it’s what separates a firm that shrugs off an attack from one that’s waiting on a decryption key. Building that resilience takes time and expertise, which is where bringing in a specialist pays off. They’ll test your defences, find the gaps an attacker would use, and help you fix them while there’s no clock ticking.

Build the Kind of Backup That Makes the Demand Irrelevant

Paying a ransom is a gamble with poor odds. You may not get your data back, you may be hit again, and you could be breaking the law without realising it. The money is far better spent on backups, segmentation and a tested recovery plan, so that when an attack lands, your answer to the demand can simply be no.

Related Articles

Back to top button