To Pay or Not to Pay: Ransomware Demands and the Decision Framework
The decision to pay a ransomware demand is one of the most consequential a business can face, and it has to be made under extreme time pressure, with incomplete information, while critical systems are offline. Most organisations have not thought about this decision in advance. By the time the note appears and the clock starts counting down, you need a framework that lets you evaluate the choice quickly and document your reasoning clearly.
There is no universally correct answer. Paying does not guarantee decryption. Not paying does not guarantee recovery. The right decision depends on factors specific to your organisation, your data, your backup posture, your insurance policy, and the legal environment at the time. What we can offer is the set of questions you need to answer and the sequence in which to answer them.
Legal and Regulatory Considerations
The first question is whether paying is legally permissible. In Australia, paying a ransom is not prohibited by law in most circumstances, but there are exceptions. If the ransomware group demanding payment is a sanctioned entity under Australian financial sanctions law, making payment can constitute a sanctions violation. Your legal counsel needs to check the threat actor's identity against current sanctions lists before any payment decision is made. This is not a theoretical concern. Several active ransomware groups operate under or affiliated with sanctioned jurisdictions.
Regulatory notification obligations may also affect your decision timeline. The Australian Notifiable Data Breaches scheme requires notification to the Office of the Australian Information Commissioner within 72 hours of becoming aware of an eligible data breach. If personal information has been exfiltrated, the clock on your notification obligation may already be running, regardless of what you decide about payment. Paying the ransom does not discharge your regulatory obligations. Some organisations mistakenly believe that if they pay, the problem goes away quietly. It does not.
Insurance Obligations
If you have cyber insurance, your policy almost certainly has specific requirements around ransomware incidents. Many policies require you to notify your insurer before making any payment decision. Some require insurer approval. Some provide access to specialist negotiation services that can reduce the payment amount or verify decryptor quality. Paying without notifying your insurer may void your coverage. Read your policy before the incident if at all possible, and call your insurer in the first hours if you have not.
Even with coverage, understand what your policy actually covers. Some policies cover the ransom payment itself but cap it. Some cover business interruption losses but have waiting periods. Some cover forensic investigation costs but require pre-approved vendors. The gap between what you think your policy covers and what it actually covers tends to become apparent at the worst possible time. Your insurer's incident response line should be one of the first calls you make.
Assessing Your Recovery Options
The business case for paying a ransom depends heavily on whether you have a viable alternative. If you have verified, intact backups that cover the affected systems and data, and if you can restore within a timeframe the business can sustain, payment becomes harder to justify. If your backups are partial, corrupted, or have themselves been encrypted, the calculus changes. Before making any payment decision, you need an accurate assessment of your backup posture from someone who has actually tested the restore process in the current environment.
You also need a realistic assessment of what paying will actually get you. Decryptors provided by ransomware groups vary enormously in quality. Some work reliably. Some are slow and error-prone, requiring weeks of manual effort to restore data. Some are provided but the attackers have already deleted the keys on their end. And paying does not prevent the attacker from publishing exfiltrated data, demanding further payment, or targeting you again. There is no honour among ransomware operators. A decision to pay is a business decision made under duress, not a reliable path to a clean outcome.
The Decision Process Under Time Pressure
Ransomware operators impose deadlines because time pressure degrades decision-making quality. Recognise the pressure for what it is: a negotiating tactic. In most cases, deadlines are not absolute. Engaging through a negotiation intermediary can extend timelines. Do not allow artificial urgency to force a decision that should involve legal counsel, your insurer, your board, and a qualified DFIR firm.
Document every element of your decision process regardless of which way you decide. The reasoning behind the decision, the options considered, the legal and insurance advice received, the state of your backup environment, the regulatory notifications made. If you pay, document the payment through your legal team and financial institution with appropriate anti-money-laundering disclosures. If you do not pay, document the basis for that decision and your remediation and recovery plan. This documentation becomes important in any subsequent regulatory inquiry or insurance claim.
We work with organisations through active ransomware incidents, including advising on response decisions, coordinating with legal and insurance teams, and conducting the forensic investigation that informs your choices. Contact us at info@cyberlinx.com.au before you need us.
Related Articles







