To Pay or Not to Pay? The Pragmatic Guide to Ransomware Extortion
The FBI says “never pay.” Your board wants an answer by morning. Here’s how executives actually make the call — without losing the company.
Published by CMIT Solutions · Cybersecurity & Incident Response · 8 min read
The FBI Says Never Pay. Your Board Wants an Answer Tonight.
The official guidance is clean: never pay the ransom. The reality on the ground is messier. When your ERP is frozen, payroll runs Friday, your customer data is being auctioned on a leak site, and your insurer is asking pointed questions about your incident response plan, “never pay” stops being a strategy and starts sounding like a slogan.
This is the moment most executives discover their cybersecurity posture is a fiction — controls were attested to on insurance applications but never enforced, backups exist but were never tested, and the “incident response plan” is a six-page PDF nobody on the call has actually opened. The pragmatic question isn’t whether ransomware is ethically wrong. It’s whether your business survives the next 72 hours.
The Pragmatic Takeaway
Whether or not to pay the ransom is rarely a moral question by the time it reaches the boardroom. It’s a business survival calculation driven by backup viability, threat-actor reputation, cyber insurance requirements, and regulatory exposure. Get those four inputs right before the attack — not during it.
What Is Double Extortion Ransomware (And Why It Changed Everything)
Traditional ransomware encrypted your data and demanded payment for the decryption key. Solid immutable backups effectively neutralized that threat — restore, wipe, refuse to pay. Adversaries adapted. Double extortion ransomware now exfiltrates your sensitive data before encryption, then threatens to publish it on a dark-web leak site if payment isn’t made. Several groups have escalated to triple extortion: DDoS attacks against your public services, or direct harassment of your customers and employees.
- Exfiltration first: Attackers dwell in the network an average of 9 days before deploying ransomware, quietly stealing terabytes.
- Leak-site auctions: Stolen data is posted in stages — sample, then 25%, then full dump — to ratchet pressure.
- Regulatory fallout: HIPAA, state breach notification, GDPR, and SEC disclosure rules trigger regardless of whether you pay.
- Insurance complications: Modern policies require pre-payment carrier approval and OFAC sanctions screening of the threat actor.
What you’re really weighing when you decide whether to pay the ransom:
- ⚠Operational downtime (typical mid-market: $250K–$1M per day)
- âš Customer notification, credit monitoring, and regulatory fines
- âš Class-action and shareholder litigation if exfiltrated data surfaces post-payment
- âš OFAC sanctions violations if the threat actor is on a U.S. Treasury list
- ⚠Re-extortion risk — payment marks you as a willing target
- ⚠Coverage gaps if your insurer pre-authorization process wasn’t followed
The Decision Framework: When (and Whether) to Pay the Ransom
There is no universal answer. There is a framework. Walk every ransomware negotiation through these four questions before your CEO signs a wire transfer.
|
Question 1 Do you have clean, immutable, tested backups? If yes: Payment for a decryption key is unnecessary. Restore and harden. If no: Encryption alone could be existential — payment moves onto the table. |
Question 2 Was data exfiltrated before encryption? If yes: Payment does not remove leak risk. Assume the data is copied, sold, or staged. The decision shifts to mitigation, not prevention. |
|
Question 3 Is the threat actor OFAC-sanctioned? If yes: Payment is illegal under U.S. Treasury regulations — period. Penalties are strict liability. Your IR team must screen the actor before any payment discussion. |
Question 4 Has your insurance carrier pre-approved the payment? If no: Paying unilaterally may void coverage entirely. Carrier-approved negotiators, forensics, and counsel must be looped in before any wallet activity. |
The Three Pillars of a Pragmatic Ransomware Response
If you want the option to refuse to pay the ransom — or to negotiate from a position of strength rather than panic — three operational pillars have to be in place before the first encrypted file appears. CMIT Solutions builds and operates all three for mid-market and enterprise clients.
â—Ź Pillar 1: Immutable Backup & Disaster Recovery (BDR)
The GapMost SMB and mid-market backups are reachable from the production network. Attackers spend their 9-day dwell time finding and encrypting those backups too. “We have backups” becomes meaningless at the moment of attack.
The FixCMIT deploys immutable, air-gapped BDR with verified restore testing on a documented cadence. When the ransom note arrives, you negotiate from strength — or skip the negotiation entirely and restore.
â—Ź Pillar 2: 24/7 Incident Response Retainer
The GapWithout a pre-arranged incident response plan and retainer, the first 12 hours after detection are spent cold-calling forensics firms, scrambling for outside counsel, and arguing with the insurer about coverage. Every hour costs five figures.
The FixA CMIT Incident Response retainer puts a forensics-trained team on the phone within 60 minutes, coordinates carrier and counsel communication, and executes a pre-approved containment playbook — turning the first hour from panic into protocol.
â—Ź Pillar 3: Cybersecurity Assessment & Insurance Readiness
The GapMost policyholders discover their cyber insurance won’t pay out because the controls they attested to — MFA on all admin accounts, EDR on every endpoint, documented backup testing — were aspirational, not enforced. Carriers deny claims on technicality.
The FixCMIT’s Cybersecurity Assessment maps your environment against your insurer’s required controls before renewal, closes the gaps, and documents the evidence so coverage holds when you need to file.
Don’t decide whether to pay the ransom under duress.
Build the framework now — while you still have leverage.
Cyber Insurance Requirements: What Your Policy Probably Won’t Cover
Cyber insurance has hardened dramatically. Premiums are up, sublimits are down, and exclusions have multiplied. If you’re quietly counting on your policy to write the ransom check, read it again. Standard cyber insurance requirements in current renewals include:
- MFA on all privileged accounts, remote access, and email
- EDR / XDR deployed on every server and workstation — not just AV
- Immutable backup architecture with documented restore testing
- Written incident response plan with annual tabletop exercises
- Security awareness training with phishing simulation metrics
- Patch management SLAs for critical and high CVEs
- Privileged access management (PAM) for domain admin and cloud root accounts
Miss any one of those — even if you attested to it on the application — and your carrier has grounds to deny the claim. The carrier’s post-loss audit is more thorough than the underwriting audit. By the time they’re writing checks for a seven-figure event, they’re looking for reasons not to.
The Canvas LMS Case: Why “Successful” Payments Aren’t the Rule
A widely circulated incident involving a Canvas LMS breach reportedly saw the threat actor return exfiltrated data after a ransom was paid. On the surface, this looks like vindication for the pay-to-recover strategy. It isn’t — and treating it as a template is dangerous.
Threat intelligence across Coveware, Sophos, and FBI IC3 reporting shows that fewer than half of victims who pay recover all of their data, and a substantial percentage are re-extorted within 12 months — sometimes by the same group, sometimes by an affiliate, sometimes by a downstream buyer of the stolen credentials. Paying establishes you as a viable target inside private threat-actor channels. The Canvas outcome is the exception negotiators cite to justify the strategy. The rule is that the data was already copied, sold, or staged for future leverage before the “deletion” was demonstrated.
Defend with CMIT Solutions
The right time to decide whether you’d pay the ransom is six months before an attack — not at 2 a.m. on a Saturday with your CFO, outside counsel, and a forensics firm you’ve never worked with on the bridge call. CMIT Solutions builds the operational foundation that makes the decision defensible either way: immutable BDR so encryption isn’t existential, a 24/7 Incident Response retainer so the first hour is professional rather than panicked, and Cybersecurity Assessment that aligns your controls with your cyber insurance requirements. When the ransom note arrives, your decision becomes a calculation — not a crisis.
Threat intelligence sources: FBI IC3 ransomware advisories, CISA #StopRansomware bulletins, Coveware Quarterly Ransomware Report, and Sophos State of Ransomware. Specific incident references (including the Canvas LMS case) are based on publicly reported breach disclosures and threat-intelligence reporting.
Build Your Ransomware Decision Framework Before You Need It
CMIT Solutions delivers BDR, 24/7 Incident Response, and Cybersecurity Assessment services that turn the pay-or-not-pay question from a panic into a plan.
Talk to a CMIT Ransomware Expert
Prefer to talk to a human? Email hello@cmitsolutions.com
