The assumption many organisations make when they discover a ransomware infection is binary: pay the ransom and get the decryption key, don't pay and lose the data. The reality is significantly more complicated, and understanding the failure modes of paying is essential to making an informed decision under pressure.
This is not an argument for or against paying. It is an account of what we have seen happen — and what you need to know before you hand over cryptocurrency to a criminal organisation.
Decryptors Break
Ransomware decryption tools are written by the same people who wrote the encryption — criminals working under time pressure, not professional software engineers. Decryptor quality varies enormously across groups. Some are well-engineered and reliably restore data. Others are buggy, slow, prone to crashing, and capable of corrupting files during the decryption process itself.
We have responded to situations where an organisation paid, received a decryptor, ran it across encrypted data, and recovered 60–70% of files. The remainder were either corrupted during decryption or simply not covered by the key provided. The threat actor, having received payment, had limited incentive to investigate or fix the problem.
Some ransomware variants encrypt files in a way that is fundamentally unrecoverable even with the correct key — particularly where the original file was overwritten in place rather than a new encrypted copy created. Paying does not change this.
Partial Encryption Is Common
Modern ransomware groups typically do not encrypt every byte of every file. They encrypt enough to render files unusable while keeping the overall operation fast — encrypting only the first portion of large files, or skipping files above a certain size threshold. This speeds up the attack but means the decryptor must match the encryption logic precisely.
Where the decryptor and encryptor are slightly mismatched — which can happen after group restructuring, when affiliates use modified tooling, or where multiple ransomware variants were deployed — partial decryption can result in files that appear recovered but are actually corrupted. Discovering this post-payment, after having used the decryptor across tens of thousands of files, is an expensive problem.
Data Was Already Exfiltrated — and Paying Doesn’t Change That
The vast majority of ransomware groups operating today are double extortion operations. They encrypt your data, but they have also exfiltrated a copy before deploying the encryptor. Paying for decryption does not address the exfiltration. Your data is already on their infrastructure.
Most groups commit — as part of the negotiation — to deleting the exfiltrated data upon payment. There is no mechanism to verify this commitment. We have seen data published on leak sites weeks after payment was made, with the group claiming the payment was insufficient or had not been received by the relevant affiliate. In some cases, stolen data has been sold to third parties regardless of payment status.
Where GDPR obligations are triggered by the exfiltration — which is most of the time — payment does not eliminate those obligations. You still need to notify the ICO within 72 hours of becoming aware of the breach. Paying does not make a breach notification unnecessary.
Sanctions Risk Is Real
The Office of Financial Sanctions Implementation (OFSI) maintains a list of sanctioned entities that includes ransomware groups. Paying a sanctioned group — even unknowingly — is a criminal offence. The Lazarus Group, Evil Corp, and various individuals affiliated with major ransomware operations are on sanctions lists.
Sanctions screening before payment is not optional. If your insurer is managing a ransom payment on your behalf, they should be conducting this screening. If you are managing it directly, you need legal advice before funds are transferred. Getting this wrong carries significant legal liability that extends well beyond the original ransom amount.
This is one reason why engaging professional negotiators matters. They understand the sanctions landscape, maintain current threat actor attribution intelligence, and can identify where the risk of paying is legally untenable.
Re-Extortion After Payment
A subset of ransomware groups, and a larger proportion of their affiliates, do not honour the implied agreement. After receiving payment they continue to threaten publication of data, demand additional payments for individual file categories, or sell access to the victim environment to other criminal groups.
Re-extortion is more common where the original negotiation was handled unprofessionally — where the victim communicated panic, disclosed financial information, or indicated willingness to pay without resistance. Negotiation approach significantly affects outcomes, including the likelihood of post-payment demands.
When Payment Is the Right Decision
There are situations where paying is the most rational choice, and a professional negotiator will help you identify them. Key considerations:
- Backup state: If backups are absent, encrypted, or insufficient to restore operations, the calculus changes significantly
- Data sensitivity: Where the exfiltrated data includes material that would cause disproportionate harm if published — patient records, commercially sensitive IP, personal data at scale — negotiating for deletion and suppression may be necessary
- Recovery timeline: Where the cost of extended downtime exceeds the ransom demand, payment combined with professional negotiation may be justified on business continuity grounds
- Decryptor quality: Intelligence on the specific group's decryptor reliability matters — some are known to work well, others are known to corrupt data
These are business decisions that require legal, financial, and technical input. They should not be made unilaterally by IT in the first hours of an incident.
What Negotiation Actually Achieves
Professional ransomware negotiation is not simply about reducing the demand — though reduction of 40–70% from the initial ask is common. It is about buying time for investigation and recovery planning, gathering intelligence on the threat actor and their tooling, assessing decryptor quality through technical proof of decryption, and establishing legal defensibility for any payment decision made.
Negotiating without professional support — via internal staff, with no experience of threat actor communication patterns, no sanctions screening capability, and no intelligence on the group — risks escalating the situation, revealing information that strengthens the attacker's position, or paying a sanctioned entity.
If you are in an active ransomware incident, call us immediately at enquiries@binary-response.com. We conduct ransomware negotiations daily and can advise on payment decisions, sanctions compliance, and decryptor viability before funds change hands.