Does paying ransomware guarantee data recovery?

New York City Hudson Yards office skyscrappers buildings

If your organisation has been hit by ransomware and you are weighing up whether to pay the ransom, contact Zensec immediately. Our team is available to guide you through your options.

It is one of the most pressurised decisions a business leader will ever face. The screens are locked, the clock is ticking, and a message demands a ransom in cryptocurrency. The instinct for many ransomware victims is to pay and move on.

It feels like the best way to recover data. You hand over the money, get the keys, unlock the files, and restore business continuity. But the uncomfortable truth is that paying ransoms is no guarantee of anything, and for many organisations it makes their situation measurably worse.

In this post, we’ll explore what the data actually says about ransom payments and data recovery. We’ll also cover what happens when a company pays and why the path to genuine resilience runs through preparation rather than capitulation.

If you are reading this because you have just experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

The promise ransomware groups make, and why it often falls apart

Ransomware is, at its core, malicious software that encrypts files and holds them to ransom. The attacker scrambles your critical data and provides a decryption key in exchange for payment, typically in Bitcoin or another cryptocurrency.

It sounds transactional, almost businesslike. Some ransomware groups even offer “customer support” to reinforce this impression of reliability.

The problem is that you are dealing with ransomware groups, and these criminals do not honour contracts. So, there’s no guarantee that you’ll receive access to your encrypted data.

A global study by Cybereason surveying over 1,200 organisations found that 80% of victims who paid a ransom to recover data experienced a second attack shortly afterwards. Nearly half of those organisations got access to their data back, but found most of it had been corrupted in the process. They paid. They got almost nothing. And then they were targeted again.

The ESG ransomware preparedness research, which surveyed 600 enterprise IT and security professionals across North America and Western Europe, found that only 16% of organisations recovered 100% of their lost data following a ransomware attack. Read that number again. One in six. Even among those who received a working decryption tool and followed all the instructions, the majority still lost data permanently.

More recent figures from 2024 are equally sobering. In Q4 of that year, 84% of organisations that paid a ransom still failed to fully recover their data. The decryption tools provided by attackers are often buggy, slow, and incomplete. They are written to extort, not to restore.

What UK organisations are actually experiencing

The UK cyber security threat picture has become significantly more serious over the past two years. According to the 2025 Data Health Check, improving data backup processes is now the top IT resilience priority for UK financial institutions and healthcare organisations, which speaks volumes about how painful recent experiences have been.

Research covering UK organisations in 2024 found that more than half had been hit by ransomware in the preceding 12 months, and of those, 59% chose to pay the ransom.

UK respondents paid an average of £870,000, with some admitting payments in the £10 million to £20 million range. And yet only 4% of all UK organisations hit by ransomware claimed to have recovered all their stolen data. Less than 2% recovered data and restored normal business operations within 24 hours.

These figures also come with a wider context. UK organisations that recovered from backups rather than paying were far more likely to achieve meaningful recovery. In fact, those with intact, protected backups were more than three times more likely to recover successfully than those who chose to pay.

The irony is profound: those who relied on their own data recovery processes were three times more likely to succeed than those who succumbed to a ransomware demand.

Why attackers target your backups first

Experienced ransomware groups understand that an organisation with solid, tested data backups will simply refuse to pay. Their leverage evaporates the moment you can restore from a clean copy. So they deliberately target your backup infrastructure to cause business interruption, often before triggering the encryption.

In Zensec’s incident response work across UK businesses, this pattern is consistently visible. Attackers will spend days or weeks inside an environment before deploying the ransomware payload. During that time, they locate backup servers, identify connected storage devices such as NAS units, and either encrypt them, wipe them, or both. By the time the ransom note appears on your screens, your backups are often already gone.

The ESG study found that nearly one in three organisations expressed serious concern that their backup copies could be infected or corrupted by a ransomware attack. Only 40% of organisations said they take extra measures to protect all of their backups.

The rest are operating on the assumption that their backups are safe, and in many cases, that assumption has proved fatally wrong. Without Multi-Factor Authentication protecting these management layers, your last line of defence can wreak havoc on recovery plans.

This is why the concepts of immutability and air gapping matter so much. An immutable backup cannot be altered or deleted, even by an attacker with administrator credentials.

An air-gapped backup is physically or logically separated from your production network, meaning it does not share the same risk profile as the rest of your environment.

Without both of these measures in place, your sensitive data is just another set of files waiting to be encrypted.

The financial reality of paying a ransom

Even when a ransom payment leads to partial data recovery, the total cost of the incident almost always far exceeds the ransomware demand. Atlanta refused to pay a $51,000 ransom demand in 2018 and spent $17 million recovering. Baltimore refused a $76,000 demand in 2019 and incurred over $18 million in recovery costs.

These are cases where payment was declined, but the point stands clearly: the ransom is almost never the real cost.

For organisations that do pay, they face the ransom itself, forensic investigation costs, system rebuilding, staff overtime, regulatory fines if data exfiltration occurred, and the reputational damage that follows a publicised breach.

The average total cost of a ransomware attack globally now sits at around $5 million per incident, completely dwarfing the payment many organisations hope will make the problem go away.

There is also a legal dimension that UK organisations need to consider carefully. The UK government has introduced a ransomware policy framework requiring mandatory reporting and pre-payment notification for the private sector, with an outright ban on ransom payments by public sector bodies and critical national infrastructure operators.

Under foreign assets control regulations, organisations can face significant legal exposure when making payments to terrorist groups and sanctioned entities.

Cyber insurance providers are also becoming stricter. How you handle a ransomware incident determines whether you’ll receive financial protection.

The myth of the reliable decryption key

It is worth examining the mechanics of what actually happens when a decryption key is provided, because even in the best-case scenario, it is far from straightforward.

  • Decryption is Slow: For large environments with critical systems, hundreds of servers and millions of files, the process can take days or even weeks. During that time, your systems remain partially or fully offline, leading to business interruptions. Staff cannot work. Revenue is being lost. Customers are affected.
  • It’s Unreliable: Files that were mid-write when the encryption occurred may be permanently corrupted regardless of whether the correct key is applied. Databases are particularly vulnerable to this. Partially encrypted database files often cannot be repaired even with a working key.
  • Decryption Doesn’t Clean the Environment: Receiving the decryption tool and restoring your files does nothing to remove the attacker from your network, close the vulnerability they used to enter, or address any malware left behind. If you decrypt without a thorough forensic investigation and a full environment rebuild, you risk double extortion and the attacker redeploying ransomware within weeks, sometimes days.

In Lake City, Florida, the city paid the $460,000 demanded. The decryption tools provided by the cybercriminals were unreliable, causing further delays. The payment solved nothing and introduced new complications.

What genuine recovery actually looks like

If paying is unreliable, expensive, and dangerous, what does a genuine recovery pathway look like?

The organisations that recover most effectively from ransomware are those that treated recovery as an engineering problem before the attack happened. They invested in layered backup strategies: on-site backups for speed, off-site immutable backups for resilience, and regularly tested recovery drills to confirm those backups actually work. They segmented their networks so that a compromise in one area could not spread freely. They maintained detailed inventories of their critical systems and understood the sequence in which those systems needed to be restored.

Critically, they also maintained relationships with specialist incident response teams. When an attack occurs, the first hours matter enormously. Decisions made in a panic, without expert guidance, routinely result in evidence being destroyed, attackers remaining active in the environment, and recovery taking far longer than necessary.

If your organisation has been hit by ransomware and needs expert help right now, our ransomware incident response and data recovery service is available around the clock. We have handled dozens of ransomware incidents across UK businesses and know how to navigate recovery in a way that minimises data loss without putting money into criminal hands.

The shifting consensus on paying ransoms

The broader security community has largely moved away from recommending paying ransoms as a viable strategy, and the data has driven that shift. In 2025, 63% of ransomware victims globally refused to pay, up from 59% the year before.

UK organisations refusing to pay have risen dramatically, with only 17% of those hit by ransomware in the latest survey paying the ransom, down from 44% in 2023.

This decline in payments is not simply a policy or principle. It reflects a growing understanding that payment does not reliably deliver recovery, invites repeat targeting, and funds the criminal infrastructure that threatens national security.

Every organisation that pays makes the economics of ransomware more attractive. Every organisation that refuses contributes to eroding those economics.

The Ransomware Taskforce has recommended a multiyear approach focused on deterrence, disruption, preparedness and a more effective response. The direction of travel in both policy and practice is clear: the answer to ransomware is not a faster way to pay criminals, it is a more resilient infrastructure that makes payment unnecessary.

What you should do right now

If you have not yet experienced a ransomware attack, the time to act is before it happens. At a minimum, your organisation should be asking three questions:

  1. Is 100% of your mission-critical data backed up, and are those backups immutable and stored on a separate, air-gapped infrastructure?
  2. When did you last test your recovery process end-to-end, not just assume it works?
  3. Do you have a documented, rehearsed incident response plan that your team knows how to execute?

The ESG research found that very few organisations could recover 100% of their mission-critical information after data theft. That is not an inevitable outcome. It is the result of preparation that was not done in time.

Ransomware groups are sophisticated, patient, and well-resourced. They are not going away. But they are also rational actors pursuing financial returns. Organisations that make themselves expensive to attack and capable of recovering without paying are, by definition, less attractive targets.

The question is not whether you can afford to build that resilience. It is whether you can afford not to.