News
The Ransomware Payment Myth, Debunked
January 15, 2026
"Just pay it and move on" is the most expensive piece of bad advice in cybersecurity. Drawing on a year of incident-response work, here is why paying is rarely cheap, fast, or quiet.
When ransomware hits, the pitch to pay is seductive: hand over the money, get the key, restore service, contain the news. It sounds like the pragmatic, cost-minimising choice. After a year of incident-response engagements, we can say plainly that this picture is a myth on every count. Paying is rarely cheap, rarely fast, and almost never quiet.
Paying isn't cheap
The ransom is only the opening figure. Across our engagements, organisations that paid still incurred most of the costs they hoped to avoid — investigation, rebuilding systems they could not trust, downtime, legal and notification expenses — on top of the payment itself. The decryption key does not undo the breach; it only, sometimes, unlocks files. You still have to assume the attacker had full run of your environment and respond accordingly.
Paying isn't fast
Decryptors supplied by attackers are frequently slow, buggy, and incomplete. We have watched recovery via a purchased decryptor take longer than recovery from clean backups would have, because the tool processed files sluggishly, corrupted some, and silently skipped others. You are trusting recovery to software written by the people who just attacked you.
- Some files won't decrypt at all.
- Large datasets can take days to process.
- The "key" sometimes arrives partial, or not at all.
Paying isn't quiet
The hope that payment buys silence rarely holds. Many actors now exfiltrate data before encrypting and use the threat of publication as a second lever — and paying once marks you as an organisation that pays, inviting return visits. Regulatory notification duties may apply regardless of whether you paid, so the incident does not stay private simply because the files came back.
In our engagements, the organisations that recovered fastest and cheapest were almost always the ones that never had to negotiate — because they had tested, offline backups and a rehearsed plan.
The honest calculus
None of this is to moralise. There are genuine edge cases — a clinic with no viable backups and lives at stake — where the decision is agonising and legitimate. But those are exceptions, and even then payment buys far less certainty than people assume.
The strategic point is that the payment decision is won or lost long before the incident. Invest in tested, segmented, offline backups; rehearse your recovery; and you remove the leverage that makes payment look attractive in the first place. The cheapest ransom is the one you never have to consider.
