Ransom payments are declining. Verizon’s latest Data Breach Investigations Report shows 69% of ransomware victims chose not to pay, while median payments have fallen year on year to $139,875. It comes as the malware is present in 48% of breaches – up from 44% in 2025.

It’s not surprising, given the global trend towards banning ransomware payments, a measure that is being considered alongside the UK Cyber Security and Resilience Bill for critical infrastructure and public sector organisations.

But some surveys suggest the official numbers do not reflect the reality of defending against crippling attacks at a time when downtime is often not an option. Over half of cybersecurity leaders would consider paying the ransom, if it was needed to restore systems, according to a report by Absolute Security.

The fact that more than half of security leaders would consider paying a ransom highlights a dangerous reality: Too many organisations still view payment as a viable recovery option, says Mike Beevor, CTO at Principle Networks

 They shouldn't, he says. “Paying a ransom is not a cybersecurity strategy. It doesn't guarantee systems will be restored, or that stolen data won't be leaked – and it certainly doesn't guarantee attackers won't come back for a second attempt. The rise of double-extortion attacks has made this even clearer. Criminal groups increasingly steal data before encrypting it, meaning organisations can pay and still face data exposure, regulatory scrutiny and reputational damage.”

Who Pays

The ideal situation is not paying, but in reality, there is sometimes no choice.

It’s important to take into consideration that many published global stats tend to be lower because many cases “do not see the light of day,” according to Yonatan Lipschitz, director of client leadership, EMEA at Sygnia.

He says on average, it’s possible that when a ransom is demanded, up to 85% of companies will make the payment. This includes firms that have made a payment to retrieve a decryption key, or where the client would just like to remain operational and have the issue “go away” to prevent any reputational damage, he explains.

Organisations will pay “when they are at the end of their tether,” says Jake Moore, global cybersecurity advisor at ESET. “Maybe they hadn’t put the right security measures in place or didn’t have sufficient backups, leaving them no other option if they want to recover data or prevent it from being released and exposing their customers or employees.”

 For some victims, paying can simply be more cost effective than rebuilding systems from scratch, says Moore. “But we’ve seen businesses who would rather take the high road and re-build their systems from the ground up instead of funding more cybercriminal activity.”

It’s not difficult to understand why many organisations would consider paying a ransom when faced with the reality of critical systems being offline, agrees Mansel Thewlis, director of military programmes and national resilience at CybExer. “The pressure to restore operations quickly can make it feel like the least damaging option.”

Paying a ransom is “rarely the result of strategic planning,” says Ashish Khanna, senior director,  Verizon Global Security Solutions. “It is a decision made under intense pressure, when operations have stalled and critical data is at risk. In those moments, payment can appear to be the fastest route to recovery.”

The UK government has been signalling an intent to restrict payments for some time. The Cyber Security and Resilience Bill, currently making its way through Parliament, introduces mandatory 72-hour ransomware reporting obligations and requires organisations intending to pay to first consult government to check for sanctions or terrorism-financing conflicts.

A full ban on payments by public sector bodies and critical national infrastructure operators, which was originally trailed as part of the bill, was not included in the King’s Speech.

But the debate hasn’t gone away, points out Thewlis. “The government is continuing to consult on payment restrictions separately, and further measures could follow.”

Effective Payment

Just a few years ago, paying was much more effective, according to Moore. “Threat actors would share a decryption key after receiving the funds and that would normally be the end of it.”

 But, as double extortion attacks have grown, the “shaky trust” that ransomware gangs had built with victims has broken down, says Moore. “Payments are not so final, and there’s no guarantee that data won’t be posted after the money has changed hands.”

If stolen data is posted on the dark web after payment – it’s the worst of both worlds for a business, says Moore. “Not only have they taken a first financial hit, but valuable IP can be exposed, or customers and employees are put at risk of targeted phishing scams.”

Moore cites the example of HSE, the Irish health service, which was hit by a devastating attack in 2021 that knocked systems offline. “It didn’t pay the ransom – but even when the hackers gifted them the decryption tool, the cost of the attack has been estimated at €51 million and the HSE is in the process of offering compensation to victims, which could total a further €100 million.”

Binary regulations that ban payments “outright risk doing even more damage to businesses” – especially if the penalty costs are higher than the ransom, Moore says. “No one wants to put businesses in a position where the only options are to pay the ransom or go out of business, risking people’s livelihoods and causing even more disruption.”

Ransomware Resilience 

The regulatory pathway for ransomware is towards banning payments – or at least make them difficult for companies. Most cybersecurity legislation is pushing for resilience, which aims to prevent needing to pay in the first place.

 The focus needs to “move decisively towards resilience and deterrence,” says Thewlis. “This means hardening technical defences, reducing attack surface, ensuring robust backup and recovery capabilities, and prioritising protection of critical 'crown jewel' systems.”

It also requires building a security culture where people understand the role they play, beyond just training, he says. He advises creating “clear processes, good tooling, and an environment where reporting concerns is the norm.”

Right now, organisations should be doing everything possible to avoid ever having to consider paying a ransom, Lauren Wilson, field CTO and strategic advisor EMEA, Splunk. “Effective response and recovery plans, secure backups and regular testing all help remove the leverage that ransomware operators rely on.”

Wilson advises preparing in “peacetime.” Organisations should look to decide their position on paying these demands before an attack occurs. A ransomware policy provides a framework for decision-making when emotions are high and time is limited. If an organisation has already discussed and rationalised its moral, ethical and commercial position, leaders are less likely to make reactive decisions in the middle of a crisis.”

Simulate ransomware attacks before you’re hit by the real thing, advises Moore. “Get a red team in, make sure everyone on the board experiences what it’s like to be hit by ransomware and sees the potential damage.

Then, it’s about getting the basics right, he says. For example, patching regularly, mandating the use of multi-factor authentication and carrying out staff training.

If an organisation chooses to pay, they need to fully understand the implications, including whether the payment could violate regulations in its market, how it may affect customer trust and brand reputation if the news gets out, and whether it could invalidate existing cyber insurance coverage, says Lipschitz. “Regardless of whether the organisation chooses to pay or not, they must still remove the attacker’s presence from the network and implement measures to prevent similar incidents from occurring in the future. This means getting back to defence basics and getting them right by removing any complexity. The simpler the systems are, the more resilient and easier to protect.”

Kate O'Flaherty Cybersecurity and privacy journalist