The Dilemma Boards Can’t Ignore

Ransomware negotiations are never smooth sailing. Average payouts sit at around £2 million, according to Paul Cashmore at Solace Global. Jamie MacColl of the Royal United Services Institute notes:

“The stats I see sort of vary between 25% to 35% of victims paying.”

But the latest numbers are starker. 82% of UK firms hit by ransomware paid the ransom, compared to the global average of 58% (BBC). UK organisations are paying at a significantly higher rate than the rest of the world.

It’s understandable to want to pay. In the middle of an attack, when you just want systems back online, a payout can feel like the only option.

 

 

As the CEO of KNP, Paul Abbott, put it:

“If what you were going to pay was going to give you back what you want, wouldn’t you? You know, that was the thing… Of course, the authorities don’t want you to pay, but at the end of the day, it’s about 900 people’s jobs.”

This is the boardroom conundrum: save the company and jobs, but at what cost? Millions in ransom? Thousands more in negotiations, remediation, and incident response? And still no guarantee of solving the problem.

The Hidden Cost of Paying  

Even if you pay, your data remains stolen. Criminals can still sell it on the dark web. You may regain access to systems, but reputational damage lingers and financial recovery is slow, sometimes impossible.

  • – In the UK between 2024 and 2025, only 47% of organisations that paid successfully regained uncorrupted data.
  • – 41% failed to recover all their data after payment.
  • – 36% of those who paid were hit again, sometimes by the same criminals.

Global data from 2025 shows that only 41% of ransomware victims paid, and of those, just 67% managed to restore their data fully.

The question isn’t just about ethics or encouraging crime. Is it practical? Is paying worth it?

The Fallout No One Talks About

Even with payment, recovery is not guaranteed. Some companies collapse anyway. Losses mount, staff leave, and customer trust erodes.

To make matters worse, disclosure is mandatory. The UK government requires breaches to be reported within 72 hours. That ensures transparency but makes reputational damage unavoidable.

Meanwhile, ransomware doesn’t discriminate. It targets global brands and heritage firms alike, exploiting the same weaknesses:  

  • – Outdated systems,  
  • – Human error through phishing and social engineering 
  • – Slow detection of threats.  

Criminals are adapting quickly. Affiliate models like those used by RansomHub make ransomware tools available to low-skilled actors, which has only increased the scale and unpredictability of attacks. 

What’s Changing in the UK

Soon, some organisations won’t have the option to pay. The UK government has announced measures to reduce ransomware’s appeal. These include mandatory breach reporting and a partial ban on ransom payments for the public sector and critical national infrastructure.

Ciaran Martin, former chief executive of the NCSC, called this “a very positive step,” saying it “ends the damaging nonsense where criminals can get lucratively paid in secret: the authorities can’t help if they don’t know about something. How it’s implemented is crucial, but it deserves support.”

Not everyone agrees. Jamie MacColl argues ransomware is mostly opportunistic, and criminals won’t change tactics over a partial ban. He believes only a full ban would force change.

The Only Real Option: Resilience  

This is why the real question isn’t whether to pay. The question should be: how fast can we detect, contain, and recover without negotiating with criminals? Ransomware payouts aren’t just an ethical dilemma; they’re a critical business decision, and one that rarely ends well for the victim.  

 

As the CEO of the NCSC said:  

“We’re focused on raising the defences of organisations, because at the end of the day, that’s the best disruption. Just make it hard for them and they will move on.” 

Moving from Reaction to Resilience

Organisations that invest in resilience are the ones that survive. That means:

Because when ransomware strikes, every second counts.

The Boardroom Conversation

If you’re under attack, think carefully about what’s at stake. The cost of paying isn’t just financial; it’s trust, reputation, and future viability.

If you’re reading this before an attack, now is the time to ask the right questions. The boardroom question shouldn’t be:

“Do we pay?”

It should be:
“How do we stop this from happening in the first place?

👉 Contact CYFOR Secure today to strengthen your ransomware resilience and protect your organisation against the next attack.