Should you pay a ransomware demand?

If your organisation has been hit by ransomware, contact Zensec immediately before making any payment decisions. Our team is available around the clock.

When a ransomware attack occurs, someone in your organisation will inevitably ask the question. The files are locked, operations are grinding to a halt, and a ransom note is sitting on every screen. A ransom demand is made, often in Bitcoin, often within 72 hours. Should you pay?

It’s something many organisations consider. The ransomware attackers are presenting the situation as a simple transaction: pay up, get your data back, get back to work.

But the evidence gathered over years of real incidents, official government guidance, and independent research paints a very different picture.

Making ransomware payments is not a reliable path to recovery. For many UK organisations, it’s the beginning of a second ordeal.

If you’re reading this because you think you have experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

What the NCSC actually says about paying ransomware demands

The UK’s National Cyber Security Centre is the government’s official authority on cyber security and threats. Its position on ransom payments is clear:

The NCSC, alongside UK law enforcement, does not encourage, endorse, or condone the payment of ransom demands.

Their published guidance is explicit that paying does not guarantee access to your data, leaves your systems infected, puts money directly into criminal hands, and makes your organisation more likely to be targeted by ransomware groups in the future. Plus, there’s no guarantee that you’ll gain access to your encrypted data.

This is not a vague advisory. It is a statement of official policy backed by years of real-world evidence. The NCSC’s guidance further recommends that, rather than considering payment, organisations should always maintain recent offline backups of critical data as the primary defence against ransomware.

The Information Commissioner’s Office has aligned with the same position in joint communications with the NCSC, and both agencies have consistently pushed back against the idea that payment resolves anything.

The UK government is moving towards a legal ban

In January 2025, the UK government launched a formal consultation on new ransomware legislation, proposing three significant measures: a targeted ban on ransom payments for public sector bodies and operators of Critical National Infrastructure, a mandatory pre-payment notification regime requiring all organisations intending to pay to engage with authorities before doing so.

There will also be a 72-hour mandatory reporting requirement for all ransomware victims, regardless of whether they intend to cover ransom payments.

The response was striking. 72% of consultation respondents supported the targeted payment ban. 68% believed the ban would effectively reduce income to criminal groups. 60% thought it would deter attackers from targeting covered organisations. The government has confirmed it intends to continue developing these measures with industry towards legislation.

The National Crime Agency and the NCSC have both identified ransomware gangs as the greatest of all serious and organised cyber crime threats to the UK. A new law is coming. If your organisation is in the public sector or critical national infrastructure, the window for paying may be closing due to foreign asset controls.

What happens when organisations pay the ransom

The statistics on payment outcomes are sobering, and they should inform every decision made at the point of an attack.

Cybereason’s 2024 True Cost to Business study found that 78% of organisations that paid an initial ransom demand were hit by a second attack, often by the same threat actor.

Of those who paid, only 47% received a working decryption key and were able to retrieve their data uncorrupted. More than six in ten of those hit a second time were asked to pay a higher amount than the first time. Paying, in other words, does not end the relationship with the attacker. It often begins as a more expensive one due to double-extortion tactics.

Sophos’s State of Ransomware 2025 report, drawing on responses from thousands of organisations globally, found that just under half of those who paid the ransom received their data back. The median ransom payment in the UK has doubled over the past year to $5.37 million, and 89% of all ransom demands surveyed were $1 million or more. For UK organisations, 28% of those who paid the initial demand ended up paying more than the original amount requested.

Separately, ESG research across North America and Western Europe found that only 16% of organisations recovered 100% of their data following a ransomware attack, regardless of whether they paid the ransom. That figure is true even for organisations with working decryption keys. Decryption is unreliable, slow, and does not address files that were corrupted or partially written when encryption began.

What payment actually gives you, and what it does not

When an attacker provides a decryption key, they are handing over a tool that may or may not work fully, will take considerable time to process, and does nothing to restore your environment to a secure state.

Your systems remain compromised. The ransomware hackers still have access to whatever attack vectors they used to enter. Any malware, backdoors, or persistence mechanisms they installed before triggering the encryption are still present.

If you decrypt without conducting a thorough forensic investigation, you face high compliance risks and the potential for future attacks.

In one widely documented case in the United States, a city paid $460,000 in cryptocurrency following a ransomware attack. The decryption tools provided by the attackers were unreliable and caused further delays to the recovery process. Payment solved nothing. The cost of the full remediation ultimately far exceeded the ransom paid.

This pattern is consistent. The ransom demand is rarely the highest cost of a ransomware incident. The total bill—including system rebuilding, legal counsel, and regulatory fines—typically runs many times the cost of paying the ransom.

Why UK organisations are increasingly refusing to pay cyber criminals

The data shows a meaningful shift in how UK organisations are responding to ransomware. In 2023, 44% of UK organisations hit by ransomware paid the demand. By 2024, that figure had fallen to 27%. The most recent figures show that only 17% of UK ransomware victims pay, while 57% recover from data backups. 24% of UK organisations now have a formal policy of never paying, double the figure from two years ago.

This is not a coincidence. It reflects organisations learning from experience, both their own and that of others, and investing more seriously in backup infrastructure and incident response capability. Those investments in disaster recovery plans are paying off.

Organisations with protected, tested, off-site backups are significantly more likely to recover successfully, with attackers failing to pressure organisations into paying.

The economics of ransomware depend on victims paying. Every organisation that refuses and can recover from backups chips away at the profitability of the model. The decline in UK payment rates is one of the more encouraging trends in the current threat landscape.

The genuine path to recovery after a cyber attack

The organisations that navigate ransomware attacks most effectively share a common characteristic: they treated recovery as an engineering challenge before the attack happened.

They invested in layered data backup strategies, with on-site backups for speed of recovery and immutable, off-site backups that cannot be encrypted or deleted by an attacker who has gained administrative access to the network.

They tested those backups regularly, not just assumed they worked. They maintained incident response plans and relationships with ransomware negotiators and specialist responders.

When an attack hits, the first hours are vital. Decisions made without legal counsel or expert guidance can result in leaking sensitive data.

Having a specialist team you can call immediately is a practical necessity. Our specialists work with financial institutions and other UK businesses to navigate recovery effectively.

If your organisation has been impacted by ransomware and you need expert help, our ransomware incident response and data recovery specialists are available around the clock. We work with UK businesses to navigate recovery effectively without funding criminal activity.

So, should you pay a ransomware demand?

Based on the official guidance of the NCSC and UK law enforcement, the emerging legislative landscape, and the threat intelligence gathered from thousands of real-world incidents: no.

Paying ransom demands doesn’t reliably restore systems and access stolen data from encrypted files. It does not clean your environment. It does not prevent ransomware actors from planning a second attack.

Such payments fund criminal operations that will use that money to develop more sophisticated tools and target more organisations, leading to further operational disruptions. And increasingly in the UK, it may not even be a legal option, depending on who you are and whether you’re paying sanctioned groups.

The question that matters more than whether to pay is whether your organisation has the backup infrastructure, incident response capability, and specialist support to recover without paying. If the honest answer is that you are not sure, that is the conversation worth having today, before an attack forces the question on you at the worst possible moment.