Most victims think yes. The data tells a very different story.
It's two in the morning and every screen in your organization shows the same message: your files have been encrypted, pay within 72 hours or your data will be published. The pressure is immense. Customers can't be served, employees are at a standstill, and someone in the emergency meeting asks: "Can't we just pay?"
The temptation to pay is understandable. It promises a quick exit from a situation that costs money every minute. But the reality is more complex — and often more painful — than attackers want you to believe.
The core question isn't just whether paying is morally right. The question is whether paying actually works. And there's now enough evidence to give a well-founded answer.
Key Takeways:
• Only 8% of organizations that pay a ransom recover all their data completely (Huntress, 2026).
• 69% of payers are attacked again within months — paying makes you a repeat target (Huntress, 2026).
• Organizations with an isolated, tested backup never have to make this choice.
What actually happens when you pay
Ransomware attackers run criminal enterprises. They build reputations so that victims trust that paying will actually lead to decryption. In many cases you do receive a decryption key — but that rarely solves the problem completely.
Research cited by Huntress, based on Mastercard's SMB Cybersecurity Study 2025, shows that nearly one in five SMBs that experienced a cyberattack went bankrupt or closed — including those that paid. Payment doesn't eliminate the damage: downtime, recovery costs, reputational harm, and forensic investigation costs remain.
Moreover, decryption after payment is often technically slow and incomplete. Encrypted files are not always fully restored, file structures can be corrupted, and restarting systems from an encrypted state rarely takes less time than restoring from a clean backup.
What the data says about data recovery
According to research compiled by TechTarget, only 8% of organizations get all their data back fully after paying a ransom. The rest miss files, receive corrupted data back, or find that the decryption key doesn't work completely. Meanwhile, the average ransomware incident costs over $4 million in total damage even including the ransom payment (source: IBM Cost of a Data Breach Report 2025).
The assumption that paying equals "problem solved" is one of the most dangerous misconceptions in cybersecurity.
Why paying makes you a repeat target
There's another reason not to pay that rarely gets attention: paying sends a signal. Criminals share information about who pays. Organizations that transfer ransom payments get flagged as willing payers — which makes them more attractive for the next attack.
According to Huntress, 69% of businesses that paid a ransom were attacked again within a short period. Not years later — often within months. The logic is straightforward: if someone has paid before, they'll probably pay again.
This means paying not only fails to solve the current attack, but actively contributes to the risk of a future one. You're investing in your own vulnerability.
The alternative: restoring from backup
Organizations that have an isolated, immutable backup — a copy that attackers couldn't reach or encrypt — are in a fundamentally different position. They don't have to weigh the options. They can recover without paying, without negotiating, and without depending on a criminal who may not keep their promise.
This isn't theoretical. Sophos data shows that organizations with working backups significantly more often recover without paying ransom — and their recovery costs are substantially lower. Learn more about what such a backup looks like on our Ransomware Protection page.
When is paying the only option left?
There are situations where organizations feel they have no choice. When no working backup is available, when the backup has also been encrypted, or when data is critical for immediate human welfare — think hospitals — payment can seem like the only way out.
In those cases, the advice from governments in the Netherlands, the EU, and the US is consistent: payment is strongly discouraged but not prohibited for private organizations. The Dutch Digital Trust Center advises always filing a police report and contacting the NCSC before any payment decision is made.
Paying without reporting increases the chance that the same group can attack others. Filing a report costs nothing and can contribute to identifying the group.
Step-by-step: what to do immediately after a ransomware attack
1. Immediately isolate all affected systems from the network — disable WiFi, unplug network cables.
2. Do not change passwords or restart systems — this can destroy forensic evidence.
3. Contact your national cybersecurity authority
4. File a police report.
5. Determine which backups are available and whether they are clean (not infected).
6. Engage a specialized incident response firm before making any payment decisions.
7. Pay only — if at all — after legal and technical advice.
What does the law say about paying ransom?
In the Netherlands, paying ransomware ransom is not per se illegal, but there are important exceptions. If the attackers are on a sanctions list — for example as a terrorist organization or under EU sanctions — payment may be a criminal offense.
Additionally, organizations under GDPR and NIS2 have reporting obligations. A ransomware attack involving personal data exposure must be reported to the supervisory authority within 72 hours. Paying doesn't eliminate this reporting obligation. You are still required to report even if you recover the data.
Learn more about data security compliance obligations on our Data Security page.
NIS2 and ransomware: what must affected organizations do?
Organizations subject to the NIS2 directive — and in the Netherlands that is more than many executives realize — have concrete obligations when hit by ransomware. They must report the incident to the relevant supervisory authority, document the impact, and demonstrate that recovery measures have been taken.
Paying without reporting is not an option for NIS2-obligated organizations. The European Commission has made clear that incident reporting is a core obligation under the directive. More information on NIS2.
How to ensure you never face this choice
The honest message is that facing the question "pay or not" is a sign that preparation fell short. Organizations that invest in a robust backup strategy never have to answer this question.
An effective ransomware backup has three properties. First, it is isolated: not reachable from the production network, so attackers cannot encrypt it. Second, it is immutable: the backup cannot be changed or deleted after writing, even by administrators. Third, it is tested: the recovery process has been periodically executed and the recovery time is known.
Organizations that meet these three criteria rarely pay ransom. They recover — and they do so faster than the average negotiation period of 8 to 10 days in a ransomware payment scenario (source: Cigent — Ransomware Recovery Time). Visit our Backup as a Service page to learn more about what such a solution looks like.
Conclusion
The question "should I pay?" has a simple answer if you know the data: paying rarely works, makes you more vulnerable to repeat attacks, and doesn't fix the underlying damage. The real answer to ransomware isn't a payment decision — it's a backup decision you make long before an attack happens.
Organizations with an isolated, tested backup are in a fundamentally stronger position after an attack. They can recover. They don't have to pay. And they don't need to hold a 2 a.m. meeting about a choice that was already made for them.
If you want to know where your organization stands today, a good starting point is to determine which backups are available, when they were last tested, and whether they are unreachable to attackers.
Frequently asked questions
Should I pay the ransom if I'll otherwise lose my files? +
Paying guarantees nothing. Only 8% of organizations that pay recover all their data completely. Moreover, free decryption tools are sometimes available through No More Ransom (nomoreransom.org), an initiative by law enforcement agencies and security companies. Always check first whether a free decryption key exists for the specific ransomware variant before making any payment decision.
Is it illegal to pay ransomware in the EU? +
In most EU countries, paying ransomware ransom is not per se illegal, but there are exceptions. If the attackers are on a sanctions list (such as EU or UN sanctions), payment may be a criminal offense. Additionally, organizations under GDPR and NIS2 are required to report data breaches to the supervisory authority regardless of whether they pay. Always seek legal advice before any payment.
How long does recovery take after ransomware without paying? +
The average recovery time after a ransomware attack is 21 to 24 days (source: Cigent), regardless of whether ransom is paid. Organizations with a tested, isolated backup can recover significantly faster — sometimes within hours for critical systems. Recovery time depends strongly on how recent the backup is, whether the backup is clean (not infected), and whether the recovery process has been practiced before.