What to Do When Ransomware Hits: Pay or Prepare?

Ransomware Response Strategy: Pay or Prepare?

When ransomware strikes, panic often sets in. Systems lock up, critical files become inaccessible, and a ticking countdown demands payment. At that moment, your team faces one urgent decision: Do we negotiate, or do we fight back?

The real issue isn’t how the attackers got in—it’s what your next move will be.

The Rising Threat of Enterprise Ransomware

Ransomware attacks on enterprises have grown increasingly sophisticated. Groups like Dark Angels and LockBit now operate with organized structures, payment portals, and even “customer support.” These cybercriminals don’t just target governments or tech firms. Hospitals, logistics companies, utilities, and educational institutions are fair game.

A report by Zscaler noted that the $75 million ransom allegedly paid to Dark Angels has only emboldened others, pushing demands even higher.

Fortunately, Chainalysis reports a shift: more victims are refusing to pay, thanks in part to law enforcement successes like dismantling LockBit servers and taking down ALPHV/BlackCat leak sites.

Should Your Company Enter Ransomware Negotiations?

The decision to pay isn’t black and white. Law enforcement discourages it, citing the danger of funding organized crime and further incentivizing attacks.

But when stakeholder obligations, patient safety, or business continuity are on the line, organizations may choose to negotiate. It often becomes a business decision, not an ethical one.

For example, Colonial Pipeline paid a $5 million ransom in 2021 to minimize fuel supply disruption across the U.S. The FBI later recovered part of the payment—but the situation sparked a nationwide conversation about ransom strategy.

The Role of Incident Response Teams in Negotiations

When negotiations begin, professional responders take charge. They work alongside IT, legal, and comms teams, often bringing in expert negotiators familiar with ransomware gangs’ tactics.

“Skilled third-party responders can de-escalate threats, lower ransom demands, and buy time to recover systems,” says Azeem Aleem, MD of UK & Northern Europe at Sygnia.

Most attackers follow a manipulative playbook—using fear tactics, fake deadlines, and threats of data leaks. Good negotiators respond with calm, stall for time, and demand proof (like decrypted sample files) before proceeding.

Involving Law Enforcement in Ransomware Response

While law enforcement typically won’t negotiate with cybercriminals, their early involvement helps:

• Track threat actor infrastructure
• Advise on legal implications
• Support insurance claims
• Prevent repeat attacks

Some cyber insurance policies mandate reporting the incident before proceeding with any payment or recovery steps.

Building a Ransomware Response Playbook

1. Preparation Starts Now

Have a documented incident response plan in place. This should cover:

• Decision-making authority for negotiations
• Legal and compliance requirements
• Communication strategies

2. Run Tabletop Exercises

Simulate attacks regularly. These mock drills expose weaknesses and train executives to respond under pressure.

“Tabletop simulations help teams prepare for double extortion or customer-facing fallout,” says Tim West, Director at WithSecure.

When Ransom Negotiations Fail

Not all attackers deliver decryption keys—even if paid. So, what should your fallback plan include?

1. Assess the Damage: Identify which systems are affected and if clean backups exist.
2. Engage Experts: Bring in cybersecurity professionals to assist with containment and recovery.
3. Isolate Infected Systems: Prevent the spread by disconnecting compromised assets.
4. Notify Authorities: Alert regulatory bodies and law enforcement promptly.
5. Communicate Transparently: Keep customers, employees, and stakeholders informed.
6. Recover Data Safely: Use verified, clean backups—not compromised ones.
7. Update Defenses: Patch vulnerabilities, audit access controls, and improve security hygiene.
8. Review and Learn: Conduct a full post-mortem to strengthen future resilience.

The Price of Every Option

There are no easy wins in a ransomware crisis. You’ll face pressure from executives, legal teams, customers, and attackers—all at once.

If you pay, you lose money (and possibly your reputation). If you don’t, you risk losing critical data, operations, or even human lives in sensitive industries like healthcare.

But when properly prepared, organizations can navigate the chaos with clarity and avoid becoming permanent victims.