Skip to content
Naked Security Naked Security

Ransomware: What REALLY happens if you pay the crooks?

The primary "business proposal" of ransomware crooks is that they will get all your data back. But how well does that work out in real life?

Governments and law enforcement hate it when ransomware victims pay the blackmail demands that almost always follow a ransomware attack, and you can understand why, given that today’s payments fund tomorrow’s cybercriminality.

Of course, no one needs to be told that.

Paying up hurts in any number of ways, whether you feel that hurt in your head, in your heart or even just in the pit of your stomach.

I was happy to pay up for a job well done,” said no ransomware victim ever.

However, it’s easy for people who aren’t looking down the wrong end of the cybercrime barrel to say, “You should never, ever pay. You should let your entire business implode, and let everyone in the company lose their job, because that’s just the price of failure.

So, if your back’s against the wall and you DO pay up in the hope that you’ll be able to restart a business that has ground to a total halt…

…how well will it all go?

Guess what? You can find out by tuning into a fun but informative talk that we’re giving twice this week.

Catch us online on Wednesday 23 June 2021 at the SC Annual Digital Congress, at 14:15 UK time (UTC+1), or on Thursday 24 June 2021 at the Sophos Break a Hacker’s Heart online event, at 11:00 UK time (UTC+1).

You need to register, but both events are free to join. (They’re both 100% virtual, given that the UK is still in coronavirus lockdown, so feel free to attend from anywhere.)

We’ll give you a clue by sharing a key slide from the talk:

As you can see, paying up often doesn’t work out very well anyway, even if you have no ethical qualms about doing so, and enough money burning a hole in your pocket to pay without flinching.

And remember that if you lose 1/3 of your data, like 1/2 of our respondents said they did, you don’t get to choose which computers will decrypt OK and which will fail.

Murphy’s law warns you that the laptops you could have reimaged easily enough will probably decrypt just fine, while those servers you really meant to backup but didn’t… probably won’t.

We’re going to try to make the talk amusing (as amusing as we dare be when talking about such a treacherous subject), but with a serious yet not-too-technical side.

We’ll be giving some tips you can use both at work and at home to reduce the risk of getting ransomed in the first place.

Both talks are live, not pre-recorded, so we’d love you to bring along your questions: you can Ask Us Anything (about ransomware, that is) in the Q&A at the end of each session.

If you can’t make the talks, or even if you can, please take a look at the survey from which our data was drawn.

This report gives some fascinating insights into which countries and industry sectors are most at risk (spoiler alert, everywhere, and everyone):


Sure, say government and law enforcement hates it when you pay when if they get hacked with ransomware they themselves pay.


So what you’re saying is: Make badass backups and take every precaution you can to not get infected in the first place.


Loosely speaking, yes :-)

Although it’s hard to take *every* precaution as some are inefficient, or expensive, or complicated, or intrusive, and so on. But most people probably could take a few more precautions than they do… or apply the precautions they have decided upon more consistently.

Oh, and never give up on people. It’s trendy to say, “People will never learn so just try to automate everything and rely entirely on technology.” But that’s a bit too much like the “keep them in the dark and treat them like mushrooms” principle if you ask me.

Most people want to do the right thing when it comes to cybersecurity and many of them will rise nicely to the task if you treat them with respect and help them to help you.


Most people absolutely do not want to do the right thing when it comes to cybersecurity. If security means the least bit of inconvenience, they are not for it. They will give lip service to tightening cybersecurity, but if they have to do some moderate thinking or push one more button, that goes out the window.


The graphic suggests at least half the time, businesses are able to recover everything. That’s the statistic that matters most to business owners in this position. Just ask the hard drive data recovery services how much business owners are willing to pay for absolutely no guarantee of recovery.


No it doesn’t… it says that half the people lost a third or more of their data. Thus the other half got back 2/3 or more, which is quite a long way from saying “the other half got back everything”.

From memory (figures in the report itself), only 8%, or 2/25, made a full recovery after paying up. (Remember also that the 2/25 who recovered everything may not actually have done so entirely on the basis of the decryptor they bought. The question just asked how much they got back in the end, so for all we know some may have needed a mix of techniques, though I think we are safe to assume that the decryptor must have helped at least a bit.)


I subscribed my company to a service that provides online security training. It also provides the ability to send out fake phishing emails, among other tests, to check people’s resistance to scams. The greatest number of users who fell for the phishing emails were members of senior management. I don’t thinks it’s because corporate leaders are more gullible. I think it’s hubris. They don’t have time, they believe, to take the training, and probably feel they don’t need it because they are too smart to be fooled by such scams. Those tests did a lot to dispel that attitude, I hope.


No doubting ransomware is out there and costs the industry countless millions a year but also in the same breath this is also a good way to sell AV product to protect people from the threat.

Like most things in life, each individual/business needs to assess the risk and make an informed decision.


Amusingly, perhaps, the one thing this article didn’t mention was buying an anti-virus product. (Unless you count the download links to our free Sophos Home as a sales pitch.)

Indeed, the article focuses on what happens if you try to recover from ransomware by spending money with the crooks after getting hit.

If your risk assessment computes that this is a cost effective and ethical approach for your business then that is how you should play the game.

Good luck with that. That’s all I’m saying.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!