Should you pay a ransomware demand?
The FBI and CISA both recommend against paying. Payment funds criminal operations, does not guarantee decryption, and does not eliminate the risk of data publication. In practice, whether to pay depends on four variables: backup viability, data exfiltration status, sanctions risk, and the cost of prolonged downtime versus the ransom amount.
Coveware Q4 2024 data shows ransomware payment frequency has declined to around 29% of incidents—down from 85% in 2019. That shift reflects better backup practices, faster containment, and growing awareness that paying does not stop data leaks. Groups that operate leak sites routinely publish data even after receiving payment, making the extortion payment for silence a poor bet.
The calculation changes when critical infrastructure is down, patient care is at risk, or the exfiltrated data includes information that would be catastrophic if published—M&A details, attorney-client privileged communications, or personal information of executives. In those cases, organizations need a professional negotiator to assess the situation, not an internal team making the decision under pressure.
One absolute rule: obtain proof of life (a test decryption of several benign files) before any payment discussion advances. Roughly 10–15% of groups that demand payment cannot actually decrypt the files—either because the encryption was botched or because they are exit-scamming. Paying without verifying decryption capability is writing a check with no guarantee of delivery.
Is paying a ransom legal?
Payment itself is not a crime under U.S. federal law, but the Office of Foreign Assets Control (OFAC) can impose civil penalties up to $1,033,094 per violation on organizations that pay sanctioned parties—even unknowingly. The sanctions risk is real and must be checked before any payment decision.
OFAC's October 2020 advisory and the updated November 2021 advisory both explicitly address ransomware payments. They warn that entities facilitating ransomware payments—including IR firms, insurers, and negotiators—may themselves face OFAC exposure. The advisories identify ransomware groups operating under sanctions designations, including Evil Corp (associated with Dridex malware), Lazarus Group (North Korea), and others listed on the Specially Designated Nationals (SDN) list.
The key legal point: OFAC strict liability applies. You do not have to knowingly transact with a sanctioned party to face penalties. The intent does not matter—the transaction does. This is why professional negotiators run sanctions screening on wallet addresses and bitcoin transaction chains before payment proceeds. Cryptocurrency addresses associated with known sanctioned actors are identifiable through blockchain analytics tools like Chainalysis.
OFAC does provide a path for mitigation. Voluntary self-disclosure of a potential sanctions violation is a significant mitigating factor and can reduce penalties substantially. Documenting due diligence—sanctions screening records, blockchain analytics reports, legal counsel involvement—matters if a payment later turns out to involve a sanctioned entity.
OFAC exposure summary
- Civil penalty: up to $1,033,094 per violation (2024 inflation-adjusted figure)
- Applies regardless of intent—strict liability standard
- Voluntary self-disclosure is a meaningful mitigating factor
- Your IR firm and insurer may also face exposure for facilitating payment
- Sanctions screening of wallet addresses is mandatory before payment
How does ransomware negotiation work?
Professional negotiators follow a structured process: establish contact through attacker-provided channels, stall for time while containment and backup assessment proceed, request proof of life, anchor the negotiation low, and handle cryptocurrency transaction compliance. Coveware quarterly data shows negotiated payments consistently settle at 30–50% below the initial demand.
Most ransomware groups provide a negotiation portal—either a .onion site accessed through Tor or an email address embedded in the ransom note. The first contact message from a negotiator is deliberately vague and stalling: "We are assessing the situation and need time to review the scope of the impact." This buys 24–72 hours while the IR team determines whether backups are viable.
Proof of life follows: the negotiator requests decryption of 3–5 benign, low-value files (a logo PNG, a config file, a README) that the attacker selects from the encrypted environment. This verifies that the group possesses a working decryption key—not all groups claiming ransomware capability actually do. Groups that cannot produce a working decryptor should not receive payment under any circumstances.
The negotiator then begins price reduction. Effective framing: claims of financial hardship, demonstrating the ransom exceeds liquidity, and referencing the declining value of data in double-extortion scenarios (regulators and the public already expect breaches; the data's blackmail value is often lower than groups believe). Coveware Q4 2024 reports the median ransomware payment at approximately $479,000, down from over $850,000 in 2023—reflecting both better defenses and more aggressive negotiation.
If payment proceeds, cryptocurrency is transferred via a compliant exchange after blockchain analytics clearance. The negotiator obtains the decryptor executable and decryption key, tests it on a sample of encrypted files before wide deployment, and—when possible—obtains written confirmation from the group that exfiltrated data has been deleted (though this cannot be verified independently).
What is double extortion and why does it change the decision?
Double extortion combines encryption of victim systems with theft of sensitive data and the threat to publish it on a public leak site. It emerged in 2019–2020 with groups like Maze and now characterizes the majority of enterprise ransomware attacks, making the restore-from-backup option insufficient on its own.
Before double extortion, a victim with clean offline backups could restore operations without paying. Ransomware groups recognized this and pivoted: they now spend weeks or months inside a network exfiltrating data before triggering encryption. By the time the ransom note appears, the data is already on attacker infrastructure.
The threat to publish changes the regulatory calculus. If the exfiltrated data includes personal information—and it almost always does—publication on a publicly indexed leak site may trigger state data breach notification obligations and potentially GDPR breach reporting. In healthcare, publication of PHI triggers HIPAA obligations. The victim's notification deadline is not tied to whether the attacker publishes; it typically runs from the date of the underlying breach.
A critical operational point: paying the ransom does not guarantee data deletion. Groups routinely retain copies of exfiltrated data for future leverage or sale. Law enforcement takedowns of leak sites (as with ALPHV/BlackCat in December 2023 and LockBit in February 2024) have sometimes resulted in victim data being recovered without payment—an argument for engaging law enforcement early and not rushing to pay.
Who should negotiate—you, your IR firm, or your insurer?
Negotiate through professionals, not your internal team. The three parties involved—IR firm, cyber insurer, and breach coach (privacy attorney)—each play a defined role. Coordination between them from the first hour prevents costly mistakes and preserves insurance coverage.
Your IR firm or a specialized ransomware negotiation firm handles tactical negotiation: contact, proof-of-life requests, price anchoring, and payment logistics. Most major IR firms have dedicated negotiation capabilities or partnerships with specialists. Find ransomware-specialist IR firms in the directory.
Your cyber insurer has a financial stake in the outcome and typically has pre-approved panel negotiators whose fees are covered. Notifying the insurer before any payment—and often before initiating contact with the attacker—is required under most policy terms. Failure to notify can void coverage. The insurer's claims handler will also want to see sanctions screening documentation before authorizing payment.
The breach coach (privacy attorney) works under attorney-client privilege to direct the response and manage regulatory notification. Everything the attorney instructs is privileged; communications between the victim and IR firm that go through the attorney may also be protected. Engaging the breach coach before substantive negotiation begins preserves the broadest possible privilege protection.
Decision framework: when to pay vs. when to decline
No single factor determines the payment decision. Use this framework to assess your situation across five dimensions. More than two factors in the "pay" column warrants serious consideration; any factor in the "do not pay" column merits investigation before proceeding.
| Factor | Lean toward: do not pay | Lean toward: consider paying |
|---|---|---|
| Backup viability | Immutable, tested offline backups exist for all critical systems | Backups are encrypted, deleted, or recovery would take 30+ days |
| Data exfiltration confirmed | Logs show no data left the environment; or data has no publication value | Sensitive PII, PHI, M&A data, or attorney-privileged materials confirmed exfiltrated |
| Sanctions risk | Blockchain analytics show no SDN-list association; group is not OFAC-designated | Group identity unknown or wallet cluster touches known sanctioned infrastructure |
| Regulatory exposure | Data involved has minimal PII; notification obligations manageable without attacker cooperation | Publication would trigger multi-jurisdiction notifications, class action risk, or HIPAA breach |
| Downtime cost vs. ransom | Daily downtime cost is low; organization can operate manually for weeks | Each day of downtime costs more than the negotiated ransom; life-safety systems affected |
Consult legal counsel and a professional ransomware negotiator before making a payment decision. This table is a framework, not legal advice.
Frequently asked questions
Should you pay a ransomware demand?
The FBI recommends against paying because payment funds criminal operations and does not guarantee file recovery. Whether to pay depends on backup viability, data exfiltration status, sanctions risk, and the cost of downtime. A professional negotiator should assess the situation before any decision is made.
Is paying ransomware illegal in the United States?
Payment is not inherently illegal, but OFAC prohibits transactions with sanctioned parties. If the ransomware group is on the SDN list—such as Evil Corp or Lazarus Group—paying can result in civil penalties up to $1,033,094 per transaction under 31 C.F.R. Part 578, regardless of intent. Sanctions screening before payment is mandatory.
How much of a discount can a ransomware negotiator get?
Coveware quarterly reports show negotiated payments typically settle at 30–50% below the initial demand. Some negotiators report discounts exceeding 70% when they can credibly demonstrate the victim cannot pay. The final amount depends on the threat group's typical behavior and negotiation leverage.
Does paying the ransom guarantee data deletion?
No. Groups routinely retain copies of exfiltrated data for future leverage or resale. There is no enforceable mechanism to verify deletion. This is one reason payment is often a poor investment when the primary concern is preventing data publication rather than restoring files.
When should you contact law enforcement during a ransomware attack?
Notify the FBI (IC3.gov) early—ideally within the first 24 hours. Law enforcement has decryption keys recovered from seized group infrastructure for some variants (LockBit, Hive, ALPHV) and can sometimes prevent data publication. Notification does not commit you to prosecution and is often required by cyber insurance policy terms.
Find a ransomware specialist
Professional negotiators reduce payments by 30–70% on average and handle OFAC sanctions screening that your team is not equipped to perform under pressure.