Imagine this: your business is paralysed. A ransomware attack has locked you out of your systems, and the hackers are demanding payment. Do you pay the ransom to restore access — or refuse and risk prolonged downtime, lost data, and reputational damage?
It’s a nightmare scenario that’s becoming all too common. Ransomware attacks are rising across all sectors, targeting businesses of every size. And when they strike, decision-makers are often caught in an impossible situation: pay the ransom or explore alternative, often slower, recovery options.
But as the ransomware ecosystem grows more sophisticated — and more lucrative — governments around the world are starting to take action. Some countries are even introducing laws that would make it illegal for organisations to pay a ransom at all.
So what does this mean for businesses, insurers, and the wider cyber risk landscape?
The Case for Paying a Ransom
For some organisations, paying the ransom can feel like the fastest way to recover. When every minute of downtime has financial consequences, restoring access to systems and data might seem like the lesser of two evils. In some cases, attackers have kept their word and delivered decryption keys once payment is received.
There’s also the fear of data exposure. Hackers often threaten to leak sensitive information — from customer records to internal documents — unless they’re paid. The reputational fallout from a data leak can be severe, so paying might seem like a way to limit damage.
The Risks of Paying
But paying is never a guarantee. Attackers might take the money and disappear, provide broken or partial decryption keys, or come back with more demands. Worse still, your business could be flagged as a willing payer, increasing your chances of being targeted again.
There’s also the ethical and legal dimension. Ransom payments fund criminal enterprises, helping hackers scale their operations and target more victims. In effect, paying can perpetuate the cycle of attacks.
Governments are taking notice. Australia and South Africa have already proposed or introduced laws that would prohibit the payment of ransoms, particularly when the attackers are part of sanctioned groups. The UK and US have issued strong warnings, and discussions around formal bans are growing louder.
If this trend continues, companies may soon be legally obligated to refuse ransom payments — no matter how severe the attack or how high the stakes. That would mark a significant shift in how ransomware incidents are managed, and could have serious implications for incident response, business continuity, and cyber insurance coverage.
The Case for Refusing to Pay
Refusing to pay is seen by many as the more responsible approach. It avoids funding criminal activity and sends a clear message: this business won’t be intimidated or extorted. It’s a stand that can help to weaken the profitability of ransomware as a tactic.
But it’s not easy. Recovery without a decryption key can be painfully slow and resource-intensive. Businesses that take this route need to have strong cybersecurity foundations in place:
- Regular and tested backups
- Comprehensive incident response plans
- Trained staff
- Access to external expertise and cyber support
Without these, recovery may be partial at best — and in some cases, impossible.
What This Means for Insurers and Their Clients
As more countries introduce regulations against ransom payments, businesses will need to shift their focus toward proactive risk management and resilience. Insurers, brokers, and MGAs will play a key role in helping clients prepare for this shift.
Embedded cyber services like vulnerability scanning, breach detection, and multilingual cyber helplines will become more critical than ever. Rather than relying on reactive models and claims, insurers can support clients in reducing risk upfront — and recovering faster when attacks occur.
There’s no one-size-fits-all answer when it comes to paying ransoms. Each incident is unique, and the decision often lies at the intersection of risk, regulation, and ethics. But the global direction is clear: the era of “pay and recover” may soon be over.
The best defence is preparation. By investing in cyber resilience now — through tools, training, and partnerships — businesses can protect themselves, reduce their reliance on ransom payments, and avoid facing this impossible decision in the first place.